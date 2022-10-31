Although belonging to the Microsoft group, Github is particularly loved by Linux lovers, as it contains a variety of open source applications, as well as program source codes that are often difficult to find.

In short, this platform is a real paradise for programmers and geeks in general.

Too bad that the platform finds itself at the center of a problem: a bug that, it seems, allowed to be able to “hijack” the repositories of other users.

This kind of “hijacking” is quite frequent in this field and in the field of cryptocurrencies.

Before we begin: what is a “repository”?

A repository it is just a “closet”, if you are already familiar with Linux systems you certainly already have a vague idea of ​​what it can be.

In any case, quoting Wikipedia: “it is a environment which can be implemented across numerous platforms hardware and management systems of databases“.

In short: they are data “packages” that are needed when you need to do some types of installation, if you are a programmer it is nothing but something very similar to the C ++ libraries (like iostream.h, to understand).

So what was the problem with the GitHub repositories?

The cloud-based repository hosting service GitHub recently fixed a rather serious security flaw, which could have been exploited to create malicious repositories and create chained attacks on users.

The RepoJacking technique, disclosed by Checkmarxis based on the bypass of a protection mechanism called “popular repository namespace retirement“, Which prevents developers from extracting insecure repositories with the same name.

The issue was addressed by Microsoft (this platform being its) on September 19, 2022 following the disclosure of those responsible.

RepoJacking occurs when a repository creator chooses to change the username, potentially allowing an attacker to “claim” the old username and publish a puppet repository with the same name in an attempt to trick users into downloading it.

Microsoft’s countermeasure “makes withdraw [si intende a livello di database] the namespace of any open source project that had more than 100 clones in the week which led to the renaming or deletion of the owner account“, Checkmarx found that this can be circumvented through the”repository transfer“.

The way the RepoJacking attack works is as follows:

An attacker creates a repository with the same name as the targeted repository (for example, “repo”) owned by a user named “victim” but with a different username (for example, “helper”)

“Helper” transfers ownership of “repo” to a second account with username “attacker”

“Attacker” renames the account username to “victim”

The “victim / repo” namespace is now under the control of the attacker

In other words, the attack depends on the peculiarity of GitHub which considers only the namespace “withdrawn”, that is the combination of username and repository name, allowing a person with not very good intentions to reuse the name of the repository together to a username created on the spot.

A successful explout could actually have allowed attackers to propagate infected repositories (and GitHub actually has viruses and malware in it…), putting renamed usernames at risk of being victims of chain attacks.

“Unless explicitly taken care of, all renamed usernames on GitHub were vulnerable to this flaw, including over 10,000 packages on Go, Swift, and Packagist package managers“Said Checkmarx researcher Aviad Gershon.

Fortunately, the problem was solved.