Truffle Security has identified attack scenarios for working with repositories on GitHub, allowing extraction of data from remote repositories with public forks or created as forks.
The vulnerability that allows access to Hash commits in all repositories connected by forks is due to GitHub storing all objects from the main repository and forks to optimize and exclude duplicates. This storage method allows viewing repositories from any fork, indicating the hash in the URL. For example, a user can create a fork repository here.
Three security threat scenarios have been outlined:
- The first scenario involves developers creating forks of public repositories, making changes, and then deleting them. This poses a risk of leaked code and accidentally adding working keys to access APIs in experimental files. Attackers can access the Hash Commit changes even after the fork is deleted through the main repository. Researchers discovered 30 working API keys using this method across three machine learning repositories with numerous forks.
- The second scenario relates to accessing data after the primary repository is deleted, assuming forks were created for that repository. For instance, a public repository inadvertently disclosed closed keys to an employee, providing full access to all company repositories on GitHub. Although the company deleted the repository, the keys are still retrievable from the Commit Hash in repositories with forks.
/Reports, release notes, official announcements.