Security News > 2023 > September > Critical GitHub Vulnerability Exposes 4,000+ Repositories to Repojacking Attack
A new vulnerability disclosed in GitHub could have exposed thousands of repositories at risk of repojacking attacks, new findings show.
The flaw "Could allow an attacker to exploit a race condition within GitHub's repository creation and username renaming operations," Checkmarx security researcher Elad Rapoport said in a technical report shared with The Hacker News.
Repojacking, short for repository hijacking, is a technique where a threat actor is able to bypass a security mechanism called popular repository namespace retirement and ultimately control of a repository.
What the protection measure does is prevent other users from creating a repository with the same name as a repository with more than 100 clones at the time its user account is renamed.
The new method outlined by Checkmarx takes advantage of a potential race condition between the creation of a repository and the renaming of a username to achieve repojacking.
"The discovery of this novel vulnerability in GitHub's repository creation and username renaming operations underlines the persistent risks associated with the 'popular repository namespace retirement' mechanism," Rapoport said.
News URL
https://thehackernews.com/2023/09/critical-github-vulnerability-exposes.html
Related news
- Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks (source)
- Critical FortiClient EMS vulnerability fixed, (fake?) PoC for sale (CVE-2023-48788) (source)
- Public anxiety mounts over critical infrastructure resilience to cyber attacks (source)
- Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool (source)
- PoC exploit for critical Fortra FileCatalyst MFT vulnerability released (CVE-2024-25153) (source)
- Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability (source)
- Hackers Hijack GitHub Accounts in Supply Chain Attack Affecting Top-gg and Others (source)
- US sanctions APT31 hackers behind critical infrastructure attacks (source)
- Critical Unpatched Ray AI Platform Vulnerability Exploited for Cryptocurrency Mining (source)
- Cyber attacks on critical infrastructure show advanced tactics and new capabilities (source)