The potential for ‘repojacking’ attacks has surfaced, thanks to a newly discovered vulnerability within GitHub. This could have placed countless repositories on the brink of considerable danger.
Elad Rapoport, a security researcher from Checkmarx, outlined the critical flaw in a technical dossier given to The Hacker News. Rapoport explained that the weakness may result in a race condition, occurring while a GitHub repository is created and a username is being renamed. The exploitation of this could critically disrupt the open-source community, possibility spiraling into a hijacking of over 4,000 code packages. This spread encompasses multiple languages, from PHP to Swift, and also includes GitHub actions.
What is Repojacking?
Repojacking, a technique feared in the digital world, is where a threat actor bypasses a security mechanism called ‘popular repository namespace retirement’, thereby seizing control of a repository. This safeguard acts as a barrier, blocking other users from creating a repository that shares a title with a repository that has been cloned over a hundred times when the user account name is changed. Essentially, once a username and repository name pair is ‘retired’, it’s supposed to be off-limits to others.
However, if rogue entities can easily sidestep this protection, they could potentially establish new accounts with identical usernames and introduce malicious repositories into the system. As a result, software supply chain attacks become an imminent risk.
How It Works
Checkmarx pointed out that the vulnerability hinges on a race condition that happens during the creation of a repository and the renaming of a username. To orchestrate a repojacking attack, a threat actor (let’s call them “User A”) concurrently establishes a repository called “Repo1” and alters the username from “User A” to “User B”, where “User B/Repo1” was a previously retired repository account.
The final move is carried out through API requests to earmark the creation of the repository and intercept the request to tweak the username. This comes about nine months subsequent to GitHub taking steps to rectify a similar hitch that could have paved an avenue for repojacking attacks.
Rapoport remarks, “The detection of this fresh vulnerability in GitHub’s repository creation and username renaming processes highlights persistent risks tied to the ‘popular repository namespace retirement’ system”.
Consequently, GitHub, now under Microsoft’s wing, rectified the issue post-haste after being informed about the vulnerability on March 1, 2023, and the problem was resolved as of September 1, 2023. Despite the swift response, it’s a sobering reminder of the constant vigilance needed to safeguard the digital frontier.