SECURITY
SECURITY
SECURITY
Millions of GitHub projects found vulnerable to exploit
Thousands of open-source code repositories on GitHub could be vulnerable to an old exploit, according to a report from Aqua Security Software Ltd.’s Nautilus research team published this week.
Aqua analyzed a sample of more than a million GitHub code repositories and found almost 3% were vulnerable to an attack called repojacking. The bad actors could take control over an entire GitHub project or a particular piece of software. The issue is that sometimes organizations that own these projects change their name, and then create links to maintain the older account name.
This is a convenience feature to help developers — but attackers can weaponize it, as Aqua discovered. “GitHub has made attempts to block repojacking over the years, yet there are still some issues with these protections,” the researchers wrote in their blog post. “They remain incomplete and can be bypassed by attackers.”
If these attacks are successful, malware could be inserted into these repositories, threatening software supply chains. Aqua demonstrated a variety of techniques, both using manual and automated methods, to carry out these attacks.
Repojacking isn’t a new technique: Checkmarx Ltd. wrote about it a year ago in this post. At that time, it claimed that thousands of projects were vulnerable to this takeover. That still seems to be the case.
Some of these accounts found by Aqua belong to major companies, such as Google LLC and Lyft Inc. The company notified all vulnerable account holders before publicly disclosing their results. Aqua found more than 36,000 vulnerable repositories in their sample of GitHub log histories from June 2019.
One issue is that this data predates the Checkmarx research, so some of the account owners may have taken steps to protect themselves. This is what happened with both Lyft’s and Google’s accounts. which when contacted by the Aqua researchers said their respective repositories weren’t in current use. Still, both companies took each of these projects offline as an extra precautionary measure.
Aqua recommends that organizations establish a regular program to check their GitHub repositories for links that go to external accounts, and make sure that naming conventions are valid. “If you change your organization name, ensure that you still own the previous name as well, even as a placeholder, to prevent attackers from creating it,” researchers said.
Image: Aqua Security Software
A message from John Furrier, co-founder of SiliconANGLE:
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
