GitHub Repo Exposures Analyzed in Repojacking Attack

Researchers from Aqua Security have analyzed the possibility of applicability attacks, namely Repojacking, to repositories on GitHub. Repojacking occurs when links to non-existent names in third-party repositories, such as documentation, scripts, and installation instructions from Readme files, remain after a project is deleted or renamed on GitHub. An attacker can then register a user’s name on GitHub, repeating the previously existing name, and place malicious software in the repository with a repeated name. The attacker then expects someone to load it, using non-combined guidelines or an old code that loads dependence on old links.

Last year, control over the PHP Bibliosity of PHPASS was obtained in a similar way. GitHub has protection against re-registration of remote projects, but it managed to get around the protection by creating the repository with the same name in an arbitrary account, then renaming the account in the target. GitHub currently tries to confront such manipulations, but according to Aqua Security, not all bypass tracks are blocked, and the protection applies only to the most popular projects before renaming, which totaled more than 100 clones.

During Aqua Security’s study, a sample of 1.25 million repositories was examined, which accounts for approximately 0.4% of the total number of repositories on GitHub. The list was obtained based on the analysis of Loga of Changes for a random month in June 2019. The susceptibility of the Repojacking attack was discovered in 36983 repositories, totaling 2.95%. Extrapolating the results to all GitHub repositories, it can be concluded that potentially the REPOJACKING attack can affect more than 8 million repositories.

GitHub does automatically redirect old links to a new repository after renaming, but this redirect only operates until a user registers with the same name. Often, users forget to correct links to the new repository. Additionally, GitHub’s protection does not capture projects that have become popular after renaming, nor does it extend to less popular repositories that a popular project may use as dependence, which was previously renamed and not updated with improved protection.

To combat these vulnerabilities, GitHub is trying to better prepare and protect its users. However, it is essential for users to be mindful and take precautions themselves to prevent the likelihood of their repositories from falling prey to Repojacking attacks.

/Reports, release notes, official announcements.