This vulnerability has been named “RepoJacking” and was discovered by the experts at Checkmarx SCS (Supply Chain Security) team.
RepoJacking is a technique that could be exploited by the threat actors to evade the “Popular repository namespace retirement” protection mechanism.
The RepoJacking technique is designed to take advantage of renamed repository URL traffic and redirect it to the attacker’s repository in order to steal data from it.
Link Between GitHub Repository & Username
There is a unique URL associated with each GitHub repository, which is nested under the account of the user who created it.
In order to download a set of open-source files from a repository, you need to use the full URL of the repository that contains the open-source code.
When a user renames his or her account, what happens? GitHub supports renaming in such a case, displaying the following warning, noting that the rename has been approved, and all the old repository’s traffic will be redirected to the newly-named repository.
As a consequence of this change, users who have not been informed of the change will still be able to access the site.
According to the report, The attack relies largely on the fact that GitHub only considers the namespace as retired once it has been abandoned. If an attacker succeeded in exploiting this vulnerability, they might have been able to compel malicious repositories.
Evading GitHub Protection
In investigation of the use of the “Repository Transfer” feature, cybersecurity analysts at Checkmark researchers discovered the following bypass:-
- “victim/repo” is a popular GitHub repository retired under the “popular repository namespace retirement” protection.
- “helper_account” creates the “repo” repository
- “helper_account” transfer ownership of the “repo” repository to “attacker_account.”
- “attacker_account” rename its username to “victim.”
- The new “victim” account (previously “attacker_account”) accepts the ownership transfer
- 1 Nov 21 – We found a way to bypass the GitHub namespace retirement feature
- 8 Nov 21 – We disclose the bypass findings to GitHub
- 8 Nov 21 – GitHub acknowledged the bypass and replied that they are working on a fix
- 24 Mar 22 – GitHub respond that they have fixed the bypass
- 11 May 22 – We discover that the bypass is still exploitable and reported to GitHub
- 23 May 22 – This attack was found active against open-source attack
- 25 May 22 – This technique was published by a security researcher taking ownership of the attacks and was fixed shortly after by GitHub
- 13 June 22 – we found additional vulnerability to bypass GitHub namespace retirement feature and reported to GitHub
- 19 Sep 22 – GitHub fixed the vulnerability, classifies it as “High” severity, and grants us a bug bounty
- 26 Oct 22 – Full disclosure
Cybersecurity experts strongly recommend that users should avoid using retired namespaces because they are no longer secure. Consequently, this will significantly reduce the attack surface, since other vulnerabilities may still exist within this mechanism.