Security News > 2023 > September > Critical GitHub Vulnerability Exposes 4,000+ Repositories to Repojacking Attack

A new vulnerability disclosed in GitHub could have exposed thousands of repositories at risk of repojacking attacks, new findings show.

The flaw "Could allow an attacker to exploit a race condition within GitHub's repository creation and username renaming operations," Checkmarx security researcher Elad Rapoport said in a technical report shared with The Hacker News.

Repojacking, short for repository hijacking, is a technique where a threat actor is able to bypass a security mechanism called popular repository namespace retirement and ultimately control of a repository.

What the protection measure does is prevent other users from creating a repository with the same name as a repository with more than 100 clones at the time its user account is renamed.

The new method outlined by Checkmarx takes advantage of a potential race condition between the creation of a repository and the renaming of a username to achieve repojacking.

"The discovery of this novel vulnerability in GitHub's repository creation and username renaming operations underlines the persistent risks associated with the 'popular repository namespace retirement' mechanism," Rapoport said.

News URL

https://thehackernews.com/2023/09/critical-github-vulnerability-exposes.html