Millions of GitHub repositories are potentially vulnerable to RepoJacking, which allows an attacker to carry out code execution on organisations’ internal environments or on their customers’ environments, according to research by AquaSec.
AquaSec analysed a sample of 1.25 million GitHub repositories and found that about 2.95% were vulnerable to RepoJacking, including repositories belonging to companies such as Google and Lyft.
What is RepoJacking?
On GitHub, organisations have usernames and repository names. In instances such as a change of management or new brand name etc, the organisation may change the username and/or repository name on GitHub.
This creates a redirection to avoid breaking dependencies for projects using code from repositories that changed their name. However, if someone registers the old name, that redirection becomes invalid.
An attack in which the attacker registers a username and creates a repository used by an organisation in the past but changed its name is called RepoJacking.
This leads to any project or code that relies on the dependencies of the attacked project to fetch dependencies and code from the attacker-controlled repository, which could contain malware.
GitHub has some restrictions to prevent the attacker from opening the old repository name.
“However, they are applied only on popular repositories that were popular before the rename, and recently researchers found many bypasses to these restrictions allowing attackers to open any repository they want,” AquaSec said.
AquaSec’s research tactic
AquaSec downloaded all the logs from GHTorrent of GitHub repository for June 2019 and compiled a list of 125 million unique repositories’ names. They then sampled 1% (1.25 million repositories’ names) and checked each one to see if it was vulnerable to RepoJacking.
“We found that 36,983 repositories were vulnerable to RepoJacking! That is 2.95% success rate,” AquaSec said.
GHTorrent is a website that provides complete log history of GitHub repositories.
Potential exploitation due to RepoJacking vulnerability
AquaSec found companies including Google and Lyft contained vulnerable repositories and explained the possible exploitation in their cases.
For Google, AquaSec found a readme file containing instructions on building a project called Mathsteps pointed to a GitHub repository belonging to Socratic, a company that Google acquired in 2018 and no longer exists.
Using the vulnerability, an attacker can clone that repository to break the redirection. This can lead to users accessing a file containing malicious code the attacker inserted.
The cybersecurity firm further observed that the instructions included an install command for the dependency. The attacker’s code can achieve arbitrary code execution on the devices of unsuspecting users.
For Lyft, AquaSec found an installation script on the company’s repository that fetches a ZIP archive from another repository, which was vulnerable to RepoJacking. This meant that the attackers could inject their malicious code automatically into any Lyft installation script.
Both Google and Lyft have fixed the issue.
Safeguarding the repositories
AquaSec advises organisations to regularly check their repositories for any links that may fetch resources from external GitHub repositories, as references to projects like the Go module can change their name anytime.
“If you change your organisation name, ensure that you still own the previous name as well, even as a placeholder, to prevent attackers from creating it,” AquaSec said.
The researchers warn that many more organisations that they did not analyse could also be vulnerable. “It’s important to note that our analysis only covered a fraction of the available data, meaning that there are many more vulnerable organisations, potentially including yours,” AquaSec said.