Millions of GitHub projects found vulnerable to exploit

Thousands of open-source code repositories on GitHub could be vulnerable to an old exploit, according to a report from Aqua Security Software Ltd.’s Nautilus research team published this week.

Aqua analyzed a sample of more than a million GitHub code repositories and found almost 3% were vulnerable to an attack called repojacking. The bad actors could take control over an entire GitHub project or a particular piece of software. The issue is that sometimes organizations that own these projects change their name, and then create links to maintain the older account name.

This is a convenience feature to help developers — but attackers can weaponize it, as Aqua discovered. “GitHub has made attempts to block repojacking over the years, yet there are still some issues with these protections,” the researchers wrote in their blog post. “They remain incomplete and can be bypassed by attackers.”

If these attacks are successful, malware could be inserted into these repositories, threatening software supply chains. Aqua demonstrated a variety of techniques, both using manual and automated methods, to carry out these attacks.

Repojacking isn’t a new technique: Checkmarx Ltd. wrote about it a year ago in this post. At that time, it claimed that thousands of projects were vulnerable to this takeover. That still seems to be the case.

Some of these accounts found by Aqua belong to major companies, such as Google LLC and Lyft Inc. The company notified all vulnerable account holders before publicly disclosing their results. Aqua found more than 36,000 vulnerable repositories in their sample of GitHub log histories from June 2019.

One issue is that this data predates the Checkmarx research, so some of the account owners may have taken steps to protect themselves. This is what happened with both Lyft’s and Google’s accounts. which when contacted by the Aqua researchers said their respective repositories weren’t in current use. Still, both companies took each of these projects offline as an extra precautionary measure.

Aqua recommends that organizations establish a regular program to check their GitHub repositories for links that go to external accounts, and make sure that naming conventions are valid. “If you change your organization name, ensure that you still own the previous name as well, even as a placeholder, to prevent attackers from creating it,” researchers said.

Image: Aqua Security Software