A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims’ source-code repositories.
For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers’ repos. For example, if an app was granted read-only access to an organization or individual’s code repo, the app could effortlessly escalate that to read-write access.
This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft’s GitHub, which assured The Register it’s “committed to investigating reported security issues.”
This is good news, because according to Aqua Security researchers, exploitation would have had a massive impact on “basically everyone.” In effect, this is a near hit for the industry as miscreants could have exploited the hole to exfiltrate cloud credentials from private repos or potentially tamper with software projects.
“Every company that uses GitHub and has a GitHub App installed (basically everyone) could potentially be affected by this,” Aqua security researcher Gal Singer wrote in an analysis this week. The cloud-native security company privately alerted GitHub to fix the oversight.
“Following the report, we thoroughly investigated the bug to identify possible paths of exploitation,” a GitHub spokesperson said, in response to questions about the bug. In lieu of publishing a security advisory for all to see, GitHub sent a notice to all of its customers, adding: “We do not have any evidence to suggest that GitHub or customer data was impacted.”
The GitHub Apps system allows applications to integrate with the source-code warehouse so that developers can add features, automate processes, and extend projects’ workflows. These third-party apps can also be bought and shared in the GitHub Marketplace, and some of the most popular ones have thousands if not millions of installs.
GitHub Apps authenticate using tokens, and according to Aqua herein lies the problem.
Here’s the way it’s supposed to work: GitHub Apps create and use scoped installation tokens based on the permissions granted to them when a user or organization installs the app.
As Singer explained:
However, a flaw in GitHub’s own code between February 25 and March 2 could have been exploited by an app to generate a token with an overly permissive scope. This could have allowed an app, which should have generated a token that only allowed read-access, to elevate the permission to
In a worst-case scenario, every newly generated token during that time frame could have been stepped up to grant the app administrator access, Singer noted:
The bug also highlights the larger security risk posed by third-party applications, libraries, and packages to software supply chains, he added.
This echoes concerns shared by the boss of the Microsoft Security Response Center, as well as 82 percent of CIOs in a survey of 1,000 such C-suite execs. ®