A new study has uncovered a significant security vulnerability on GitHub, revealing that millions of software repositories are susceptible to an attack known as RepoJacking. The report, published by Massachusetts-based security firm Aqua, highlights that even repositories from renowned organizations like Google and Lyft are vulnerable.
RepoJacking, also referred to as dependency repository hijacking, is a type of supply chain attack that allows threat actors to take over retired organization or user names and upload compromised versions of repositories, enabling the execution of malicious code.
The vulnerability arises when a repository owner changes their username, creating a link between the old and new names for users who download dependencies from the old repository. However, anyone can create the old username and break this link, resulting in potential exploitation.
Another scenario involves repository ownership being transferred to a different user, leading to the deletion of the original account. In this case, a malicious actor can create an account with the old username, leveraging the repository's established reputation.
Through RepoJacking, attackers manipulate the software supply chain by creating a repository with the same name as a well-known organization, tricking projects dependent on the repository to fetch contents from the attacker-controlled repository.
Aqua researchers Ilay Goldman and Yakir Kadkoda utilized websites like GHTorrent to extract GitHub metadata associated with public commits and pull requests, enabling the compilation of a list of vulnerable repositories. Analyzing a subset of 1.25 million repositories from June 2019, they discovered that 2.95% (approximately 36,983) were susceptible to RepoJacking.
Considering GitHub's extensive repository count of over 330 million, these findings suggest that millions of repositories could potentially fall prey to similar attacks.
For instance, the researchers found that the repository google/mathsteps, which had been previously owned by Socratic (socraticorg/mathsteps) and later acquired by Google in 2018, was vulnerable to RepoJacking. By creating the socraticorg/mathsteps repository, an attacker could execute arbitrary code on users who unknowingly cloned the compromised repository instead of Google's.
To mitigate the risks associated with RepoJacking, it is crucial for users to regularly inspect their code for any links that retrieve resources from external GitHub repositories.
Commentaires