A critical vulnerability discovered in GitHub has raised concerns about the exposure of thousands of repositories to repojacking attacks. Checkmarx security researcher Elad Rapoport identified this flaw, which could be exploited by attackers to manipulate GitHub’s repository creation and username renaming processes.
Successful exploitation of the vulnerability posed a significant risk to the open-source community, potentially enabling attackers to hijack over 4,000 code packages across various languages like Go, PHP, and Swift, including GitHub actions. GitHub, owned by Microsoft, promptly addressed the issue after responsible disclosure in March 2023, implementing fixes by September 2023.
Repojacking, a shortened term for repository hijacking, involves threat actors bypassing a security mechanism known as “popular repository namespace retirement” to gain control over repositories.
This protective measure typically prevents users from creating a repository with the same name as one that has over 100 clones when the account owner’s username is changed, effectively retiring the username-repository combination.
However, if attackers can easily circumvent this safeguard, they can create new accounts with the same username and upload malicious repositories, potentially leading to software supply chain attacks.
Checkmarx’s new method for repojacking exploits a race condition between the creation of a repository and the renaming of a username. This involves a series of steps, starting with a victim owning a namespace (“victim_user/repo”), renaming the username to “renamed_user,” which then retires the “victim_user/repo” repository.
Simultaneously, an attacker with the username “attacker_user” creates a repository called “repo” and renames their username to “victim_user.” This process employs API requests for repository creation and renamed requests for the username change. This discovery highlights ongoing challenges in securing popular repository namespaces, underscoring the need for robust safeguards in code hosting platforms.