Experts at Truffle Security have discovered a potential security vulnerability on GitHub that allows data from remote Forkov, repositories, and even private repositories to remain accessible indefinitely. This issue is not only known to the company itself but is also built into the platform’s architecture.
The vulnerability, known as CROSS FORK Object Reference (CFOR), occurs when one fork repository can access confidential data from another fork, including data from remote and private forks. Similar to the widely recognized Insecure Direct Object Reference (IDOR) vulnerability, CFOR enables users to leverage forks to gain direct access to data that would typically be inaccessible.
Researchers have highlighted this vulnerability by demonstrating a common workflow on GitHub. When a user forks a public repository, makes modifications to it, and then deletes the fork, it might seem logical that data from the remote fork would no longer be accessible. However, in practice, this data remains available indefinitely, leading to a loss of control over the information.
Further investigation revealed that data from remote forks is frequently discoverable. In several popular repositories belonging to a prominent artificial intelligence company, researchers found numerous valid APIs embedded in example files that persisted even after the fork was deleted.
The issue extends beyond remote fork data accessibility. If a user creates a public repository and subsequently deletes it, any data added after forking remains accessible through that fork. This means that all commits from the original “parent” repository continue to exist and can be accessed through any fork.
Another concerning scenario involves private repositories. When a private repository is initially created and later made public, additional features in a fork repository can potentially make data from the private fork accessible to the general public. This occurs because changing the visibility of the “parent” repository separates the network of repositories into private and public versions, leaving the data entered into the private fork accessible up to that point.
Accessing such data only requires knowledge of the commit hash. While destructive actions in the GitHub repository network delete links to data through standard GIT interfaces and operations, the data itself remains accessible if the commit hash is known. The commit hashes can be obtained using the GitHub API, further exposing the vulnerability