Google, Lyft Among Vulnerable Repositories, Aqua Researchers Say
Millions of GitHub repositories are vulnerable to a repository renaming flaw that that could enable supply chain attacks, a new report by security firm Aqua found.
Repository hijacking, or repo jacking, is a form of attack that allows hackers to takeover GitHub projects to run malicious code. The vulnerability identified by Aqua researchers arises when GitHub users or organizations change the name, while retaining the dependencies with the earlier repositories.
The security firm notes hackers can exploit this vulnerability by creating user names. As the older versions tend to maintain dependencies, repo jacking can enable attackers to gain access to a repository and clone a project from another GitHub account.
“Attackers aren’t bound to a specific organization,” Aqua researchers note. “They can scan the internet and find any victim they’d like, and if they sense there’s profit behind the attack, they can continue until they maximize their gain.”
The report notes hackers can leverage websites such as GHTorrent, which saves all information relating to GitHub dating back to 2012 to scan for a particular target. Although this website is currently unavailable, Aqua researchers pointed out that its datasets continue to remain accessible.
To demonstrate account take over using repo jacking, the researchers note said they compiled data from June 2019, which accounted for 1% or 1.25 million repositories’ names.
“We found that 36,983 repositories were vulnerable to repo jacking. That is a 2.95% success rate,” researchers said. “If we extrapolate the result we found on this sample, to the entire GitHub repositories’ base, there are potentially millions of vulnerable repositories.”
GitHub did not immediately respond to a request for comment from Information Security Media Group.
Attackers can use this flaw to introduce malicious code, Aqua said. To demonstrate possible attack scenario, researchers created a proof-of-concept attack that could successfully introduce malware to repositories belonging to Lyft and Google.
Researchers further noted that hackers can use vulnerable repositories as a potential dependency to access other projects, potentially leading to a supply chain attack.
Although GitHub has attempted to address repo jacking, Aqua researchers say it has not been completely effective. They recommend taking measures such as regularly checking for external links and ensuring the ownership of repositories to lower the risk of repo jacking.