Millions of GitHub repositories are at risk of RepoJacking, a vulnerability that allows attackers to execute code on internal and customer environments, according to research conducted by AquaSec. The study analyzed a sample of 1.25 million GitHub repositories and found that approximately 2.95% of them were vulnerable to RepoJacking, including repositories owned by major companies such as Google and Lyft.
RepoJacking occurs when an attacker registers a username and creates a repository that was previously used by an organization but has since changed its name. This creates a redirect that ensures projects using code from the original repository don’t break. However, if someone re-registers the old name, the redirection becomes invalid. This allows the attacker to control the repository and potentially insert malware into the code.
While GitHub has implemented restrictions to prevent the opening of the old repository names, AquaSec discovered that these restrictions only apply to popular repositories that were popular before the name change. Additionally, researchers have found several bypasses to these restrictions, allowing attackers to open any repository they desire.
To conduct their research, AquaSec downloaded all the logs from GHTorrent, a website that provides complete log history of GitHub repositories. They compiled a list of 125 million unique repository names and then sampled 1% of them (1.25 million) to determine their vulnerability to RepoJacking. They found that 36,983 repositories, or 2.95% of the sample, were vulnerable to this attack.
AquaSec also highlighted the potential exploitation that could arise from the RepoJacking vulnerability. They identified Google and Lyft as companies with vulnerable repositories. For Google, they discovered a readme file that contained instructions on building a project called Mathsteps. However, the file pointed to a GitHub repository belonging to Socratic, a company that Google acquired in 2018 and no longer exists. This vulnerability allowed an attacker to clone the repository and inject malicious code into it, potentially executing arbitrary code on unsuspecting users’ devices.
In the case of Lyft, AquaSec found an installation script on the company’s repository that fetched a ZIP archive from another vulnerable repository. This meant that attackers could automatically inject their malicious code into any Lyft installation script.
Both Google and Lyft have since addressed the vulnerabilities identified by AquaSec.
To safeguard GitHub repositories from RepoJacking, AquaSec recommends organizations regularly check their repositories for any links that may fetch resources from external GitHub repositories. They also advise organizations to ensure they continue to own previous organization names, even as placeholders, to prevent attackers from re-registering them.
AquaSec emphasizes that their analysis only covered a fraction of the available data, indicating that there are potentially many more vulnerable organizations beyond those they examined. They urge organizations to be proactive in assessing their vulnerability to RepoJacking.
Overall, the research conducted by AquaSec highlights the importance of addressing vulnerabilities in GitHub repositories to prevent unauthorized access and code execution. By taking proactive measures and implementing security best practices, organizations can mitigate the risk of RepoJacking and protect their code and customers’ environments.