Truffle Security has raised concerns about a potential security flaw on GitHub that allows anyone to access deleted and private repository data, even after it has been removed. In a blog post published by security researcher Joe Leon, it was revealed that this issue is intentionally designed and poses a significant threat to organizations using the platform.
Leon demonstrated how he could fork a repository, commit data to it, delete the fork, and still access the deleted commit data through the original repository in less than a minute. This highlights a major security vulnerability, especially since many GitHub users may not be aware that their deleted data can still be accessed.
The blog post introduced the term “cross fork object reference” (CFOR) to describe the vulnerability, where data from one repository fork can be accessed by another fork, including sensitive information from private and deleted repositories. This means that any public repository with at least one fork could potentially be accessible indefinitely.
Additionally, Leon discovered that commit data from private repositories could also be accessed, as these repositories often have public versions linked to them. This common development workflow could inadvertently expose confidential data and secrets on public GitHub repositories.
The implications of this security flaw are significant, as long as one fork exists, any commit to the repository network will remain accessible on GitHub permanently. The blog emphasized the importance of key rotation as the only secure way to remediate a leaked key on a public GitHub repository.
In response to the research, GitHub confirmed that the behavior Leon described is expected and documented in their platform’s documentation. They are committed to investigating reported security issues and ensuring the platform’s security.
This latest security report from Truffle adds to a growing list of vulnerabilities discovered on GitHub. In April, a vulnerability was uncovered by New York University professor Justin Cappos, leading to the exposure of sensitive security reports. Threat actors have targeted GitHub in the past, using it as an attack vector for supply chain attacks by manipulating search functions to spread malicious code.
While there have been no reports of compromised deleted repositories, the potential for exploitation remains a concern. As organizations continue to rely on GitHub for their development workflows, it is essential to address these security flaws and take proactive measures to protect sensitive data from unauthorized access.
Arielle Waldman, a news writer for TechTarget Editorial covering enterprise security, contributed to this report.