Security News

GitHub deprecates account passwords for authenticating Git operations
2021-08-12 22:10

GitHub has announced today that account passwords will no longer be accepted for authenticating Git operations starting tomorrow. "Starting on August 13, 2021, at 09:00 PST, we will no longer accept account passwords when authenticating Git operations on GitHub.com," the company said.

GitHub now supports security keys when using Git over SSH
2021-05-10 20:09

GitHub has added support for securing SSH Git operations using FIDO2 security keys for added protection from account takeover attempts. "Once generated, you add these new keys to your account just like any other SSH key," GitHub Senior Security Engineer Kevin Jones said.

PHP's Git server hacked to add backdoors to PHP source code
2021-03-29 07:32

In the latest software supply chain attack, the official PHP Git repository was hacked and the code base tampered with. Yesterday, two malicious commits were pushed to the php-src Git repository maintained by the PHP team on their git.

PHP's Git Server Hacked to Insert Secret Backdoor to Its Source code
2021-03-29 03:51

In yet another instance of a software supply chain attack, unidentified actors hacked the official Git server of the PHP programming language and pushed unauthorized updates to insert a secret backdoor into its source code. The changes, which were committed as "Fix Typo" in an attempt to slip through undetected as a typographical correction, involved provisions for execution of arbitrary PHP code.

Researchers hacked Indian govt sites via exposed git and env files
2021-03-12 16:46

Researchers have now disclosed more information on how they were able to breach multiple websites of the Indian government. Last month, researchers from the Sakura Samurai hacking group had partially disclosed that they had breached cyber systems of Indian government after finding a large number of critical vulnerabilities.

Passwords begone: GitHub will ban them next year for authenticating Git operations
2020-12-17 08:29

Microsoft's GitHub plans to stop accepting account passwords as a way to authenticate Git operations, starting August 13, 2021, following a test period without passwords two-weeks earlier. As of next August, that requirement will be extended to all Git-related command line interactions, desktop apps that use Git, and software or services that access Git repos on GitHub via password.

Git LFS vulnerability allows attackers to compromise targets’ Windows systems (CVE-2020-27955)
2020-11-05 11:14

A critical vulnerability in Git Large File Storage, an open source Git extension for versioning large files, allows attackers to achieve remote code execution if the Windows-using victim is tricked into cloning the attacker's malicious repository using a vulnerable Git version control tool, security researcher Dawid Golunski has discovered. Golunski found that Git LFS does not specify a full path to git binary when executing a new git process via a specific exec.

ProtonMail-run website boasting 'complete guide' to GDPR left credential-baring .git repo exposed online
2020-04-29 09:00

An EU-sponsored GDPR advice website run by Proton Technologies had a vulnerability that let anyone clone it and extract a MySQL database username and password. "The irony of a EU-funded website about GDPR having security issues isn't lost on us," mused the security consultancy.

GDPR Compliance Site Leaks Git Data, Passwords
2020-04-27 21:15

The website, GDPR.EU, is an advice site for organizations that are struggling to comply with the General Data Protection Regulation laws that were imposed by the EU in 2018. "However, the irony of a EU-funded web site about GDPR having security issues isn't lost on us."

How to install and use git-secret
2020-01-02 19:18

Learn how to gain more security in your git repository with the help of the git-secret tool. If you use Git for much of your development needs, you should know there's a dirty little secret to be found.