According to fresh data, a new vulnerability reported on GitHub could have put thousands of repositories at risk of repo jacking assaults.
The vulnerability “could allow an attacker to exploit a race condition within GitHub’s repository creation and username renaming operations,” according to Checkmarx security researcher Elad Rapoport in a technical paper published with The Hacker News.
“Successful exploitation of this vulnerability impacts the open-source community by enabling the hijacking of over 4,000 code packages in languages such as Go, PHP, and Swift, as well as GitHub actions.”
The Microsoft-owned code hosting platform has fixed the vulnerability as of September 1, 2023, following responsible disclosure on March 1, 2023.
Repojacking, also known as repository hijacking, is a technique in which a threat actor is able to circumvent a security measure known as popular repository namespace retirement and gain control of a repository.
When a repository’s user account is renamed, the protection mechanism prevents other users from starting a repository with the same name as a repository with more than 100 clones. In other words, the username and repository name combination is regarded as “retired.”
If this protection is easily bypassed, threat actors may be able to create new accounts with the same identity and upload harmful repositories, potentially leading to software supply chain attacks.
Keywords: GitHub vulnerability, Repository hijacking, Software supply chain attacks
Also Read: Google Privacy Sandbox rollout for Chrome Browser Users: A Game-Changer in Web Privacy
Apple Emergency Updates: Defend Yourself Against Pegasus Spyware Exploits