For a few days earlier this year, rogue GitHub apps could have hijacked countless repos
A bit of a near-hit for the software engineering world
A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories.
For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers' repos. For example, if an app was granted read-only access to an organization or individual's code repo, the app could effortlessly escalate that to read-write access.
This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft's GitHub, which assured The Register it's "committed to investigating reported security issues."
This is good news, because according to Aqua Security researchers, exploitation would have had a massive impact on "basically everyone." In effect, this is a near hit for the industry as miscreants could have exploited the hole to exfiltrate cloud credentials from private repos or potentially tamper with software projects.
"Every company that uses GitHub and has a GitHub App installed (basically everyone) could potentially be affected by this," Aqua security researcher Gal Singer wrote in an analysis this week. The cloud-native security company privately alerted GitHub to fix the oversight.
"Following the report, we thoroughly investigated the bug to identify possible paths of exploitation," a GitHub spokesperson said, in response to questions about the bug. In lieu of publishing a security advisory for all to see, GitHub sent a notice to all of its customers, adding: "We do not have any evidence to suggest that GitHub or customer data was impacted."
The GitHub Apps system allows applications to integrate with the source-code warehouse so that developers can add features, automate processes, and extend projects' workflows. These third-party apps can also be bought and shared in the GitHub Marketplace, and some of the most popular ones have thousands if not millions of installs.
- Travis CI exposes free-tier users' secrets – new claim
- Supply chain attacks will get worse: Microsoft Security Response Center boss
- CIOs largely believe their software supply chain is vulnerable
- What keeps Mandiant Intelligence EVP Sandra Joyce up at night? The coming storm
GitHub Apps authenticate using tokens, and according to Aqua herein lies the problem.
Here's the way it's supposed to work: GitHub Apps create and use scoped installation tokens based on the permissions granted to them when a user or organization installs the app.
As Singer explained:
For example, if you granted it access to read a user's profile data, the scoped token the app generates would have the 'read:user' permission.
However, a flaw in GitHub's own code between February 25 and March 2 could have been exploited by an app to generate a token with an overly permissive scope. This could have allowed an app, which should have generated a token that only allowed read-access, to elevate the permission to
In a worst-case scenario, every newly generated token during that time frame could have been stepped up to grant the app administrator access, Singer noted:
If a software vendor's private repository that contains their source code and intellectual property was leaked or deleted, this could literally mean the end of that company.
The bug also highlights the larger security risk posed by third-party applications, libraries, and packages to software supply chains, he added.