Critical GitHub Vulnerability Exposes 4,000+ Repositories to Repojacking Attack

Sep 12, 2023THNSoftware Security / Vulnerability

A new vulnerability disclosed in GitHub could have exposed thousands of repositories at risk of repojacking attacks, new findings show.

The flaw “could allow an attacker to exploit a race condition within GitHub’s repository creation and username renaming operations,” Checkmarx security researcher Elad Rapoport said in a technical report shared with The Hacker News.

“Successful exploitation of this vulnerability impacts the open-source community by enabling the hijacking of over 4,000 code packages in languages such as Go, PHP, and Swift, as well as GitHub actions.”

Following responsible disclosure on March 1, 2023, the Microsoft-owned code hosting platform has addressed the issue as of September 1, 2023.

Repojacking, short for repository hijacking, is a technique where a threat actor is able to bypass a security mechanism called popular repository namespace retirement and ultimately control of a repository.

What the protection measure does is prevent other users from creating a repository with the same name as a repository with more than 100 clones at the time its user account is renamed. In other words, the combination of the username and the repository name is considered “retired.”

Should this safeguard be trivially circumvented, it could enable threat actors to create new accounts with the same username and upload malicious repositories, potentially leading to software supply chain attacks.

The new method outlined by Checkmarx takes advantage of a potential race condition between the creation of a repository and the renaming of a username to achieve repojacking. Specifically, it entails the following steps –

1. Victim owns the namespace “victim_user/repo”
2. Victim renames “victim_user” to “renamed_user”
3. The “victim_user/repo” repository is now retired
4. A threat actor with the username “attacker_user” simultaneously creates a repository called “repo” and renames the username “attacker_user” to “victim_user”

The last step is accomplished using an API request for repository creation and a renamed request interception for the username change. The development comes nearly nine months after GitHub patched a similar bypass flaw that could open the door to repojacking attacks.

“The discovery of this novel vulnerability in GitHub’s repository creation and username renaming operations underlines the persistent risks associated with the ‘popular repository namespace retirement’ mechanism,” Rapoport said.