Millions of GitHub Repositories Vulnerable to Repo JackingGoogle, Lyft Among Vulnerable Repositories, Aqua Researchers Say
Millions of GitHub repositories are vulnerable to a repository renaming flaw that that could enable supply chain attacks, a new report by security firm Aqua found.
Repository hijacking, or repo jacking, is a form of attack that allows hackers to take over GitHub projects to run malicious code. The vulnerability identified by Aqua researchers arises when GitHub users or organizations change the name of the repository while retaining the dependencies with the earlier repositories.
The security firm said hackers can exploit this vulnerability by creating user names. As the older versions tend to maintain dependencies, repo jacking can enable attackers to gain access to a repository and clone a project from another GitHub account.
"Attackers aren't bound to a specific organization," the researchers said. "They can scan the internet and find any victim they'd like, and if they sense there's profit behind the attack, they can continue until they maximize their gain."
The report said hackers can leverage websites such as GHTorrent, which saves all information relating to GitHub dating back to 2012, to scan for a particular target. Although this website is currently unavailable, the researchers pointed out that its datasets remain accessible.
To demonstrate account takeover using repo jacking, the researchers said they had compiled data from June 2019, which accounted for 1% or 1.25 million repositories' names.
"We found that 36,983 repositories were vulnerable to repo jacking. That is a 2.95% success rate," they said. "If we extrapolate the result we found on this sample to the entire GitHub repositories' base, there are potentially millions of vulnerable repositories."
GitHub did not immediately respond to a request for comment from Information Security Media Group.
Attackers can use this flaw to introduce malicious code, the researchers said. To demonstrate a possible attack scenario, they created a proof-of-concept attack that could successfully introduce malware to repositories belonging to Lyft and Google.
The researchers also said that hackers can use vulnerable repositories as a potential dependency to access other projects, potentially leading to a supply chain attack.
Although GitHub has attempted to address repo jacking, the researchers said it has not been completely effective. They recommend regularly checking for external links and ensuring the ownership of repositories to lower the risk of repo jacking.