Millions of GitHub repositories are potentially vulnerable to RepoJacking, which allows malicious actors to control an old repository if an organization changed its username on the open-source software development service.
According to research posted June 21 by Aqua Security’s Nautilus research group, RepoJacking is when a malicious actor registers a username and creates a repository used by an organization in the past, but has since changed its username. A developer may think the repo is safe, but in reality it’s controlled by the attacker and susceptible to malware.
The danger: Once exploited, it could lead to remote code execution on an organization’s internal environments or on a customer’s systems.
Aqua Nautilus started from a data sample it found on the GHTorrent website. The researchers downloaded all the logs from a random month (June 2019) and compiled a list of 125 million unique repository names. Next, they sampled 1% — 1.25 million repo names — and checked each one to see if it was vulnerable to RepoJacking.
They then found that 36,983 repositories were vulnerable to RepoJacking: a 2.95% success rate. By extrapolating the result they found on the sample to the entire GitHub repository base, there are potentially millions of vulnerable repositories — more than 300 million, say the researchers.
Aqua Nautilus then created a proof-of-concept (PoC) to show how RepoJacking works. They ran the PoC on several repositories that belong to popular organizations, gathering basic metadata such as hostname, IP address, and DNS name servers to see who downloaded artifacts from the vulnerable repos. The result: the PoC was triggered a few times leading to code execution on environments related to some large companies.
Aqua Security recommended that security teams take the following steps: Regularly check the organization’s repositories for any links that may fetch resources from external GitHub repositories. Also, if a developer changes the organization’s name, ensure that the company still owns the previous name. Do this as a placeholder because it can prevent attackers from creating it.
According to the report, RepoJacking is widespread and app dev teams may not even know they are vulnerable, said Timothy Morris, chief security advisor at Tanium. Morris said with motivation and some creative digital archaeology, anyone can dig up some past links to valuable repos that aren't ancient but actively being used in code running now.
“These are supply chain vulnerabilities,” explained Morris. “It’s imperative that security teams and risk managers understand where all their software, and dependencies, originate from. Whether open source software, third-party software, or commercially off-the-shelf software, it’s important to know what dependencies are being used. Mitigations include: never link directly, always package dependencies, use package managers, version pinning, and lock files.”
This research highlights the risk that transcends issues with GitHub, said John Bambenek, principal threat hunter at Netenrich. Bambenek said any references to “old” names that are retired can be used by others if all the references aren’t changed everywhere.
“In the case of GitHub repos, that could lead to remote execution or installation of backdoors,” Bambenek said. “However, this also includes other resources, such as email addresses and domain names, an exposure already in use by nation-state actors. Secure deprovisioning is something we are not really considering as we move more to cloud resources and open source and it will continue to bite us harder until we start dealing with it.”
