Millions of GitHub repositories vulnerable to RepoJacking: Report

Millions of GitHub repositories are potentially vulnerable to RepoJacking, which allows attackers to carry out code execution on organizations' internal environments or on their customers' environments, according to research by AquaSec. 

AquaSec analyzed a sample of 1.25 million GitHub repositories and found that about 2.95% were vulnerable to RepoJacking, including repositories belonging to companies such as Google and Lyft. 

What is RepoJacking?

On GitHub, organizations have usernames and repository names. In instances such as a change of management or new brand name etc, the organization may change the username or repository name on GitHub. A redirect is also created to avoid breaking dependencies for projects using code from repositories that changed their name. However, if someone re-registers the old name, that redirection becomes invalid.

An attack in which the attacker registers a username and creates a repository used by an organization in the past but changed its name is called RepoJacking.

This leads to any project or code that relies on the dependencies of the attacked project to fetch dependencies and code from the attacker-controlled repository, which could contain malware.

GitHub has some restrictions to prevent the attacker from opening the old repository name. "However, they are applied only on popular repositories that were popular before the rename, and recently researchers found many bypasses to these restrictions allowing attackers to open any repository they want," AquaSec said. 

AquaSec's research tactic

AquaSec downloaded all the logs from GHTorrent -- a website that provides complete log history of GitHub repositories -- for June 2019 and compiled a list of 125 million unique repository names. They then sampled 1% (1.25 million repository names) and checked each one to see if it was vulnerable to RepoJacking.

"We found that 36,983 repositories were vulnerable to RepoJacking! That is 2.95% success rate," AquaSec said.

Potential exploitation due to RepoJacking vulnerability

AquaSec found companies including Google and Lyft had vulnerable repositories and explained how they could be exploited.

For Google, AquaSec found that a readme file containing instructions on building a project called Mathsteps pointed to a GitHub repository belonging to Socratic, a company that Google acquired in 2018 which no longer exists.

Using the vulnerability, an attacker can clone that repository to break the redirection. This can lead to users accessing a file containing malicious code the attacker inserted, allowing the attacker to achieve arbitrary code execution on the devices of unsuspecting users. 

For Lyft, AquaSec found an installation script on the company's repository that fetches a ZIP archive from another repository, which was vulnerable to RepoJacking. This meant that the attackers could inject their malicious code automatically into any Lyft installation script. 

Both Google and Lyft have fixed the issue. 

Safeguarding the repositories 

AquaSec advises organizations to regularly check their repositories for any links that may fetch resources from external GitHub repositories, as references to projects like the Go module can change their name anytime.

"If you change your organization name, ensure that you still own the previous name as well, even as a placeholder, to prevent attackers from creating it," AquaSec said.

The researchers warn that organizations that they did not analyze could also be vulnerable. "It's important to note that our analysis only covered a fraction of the available data, meaning that there are many more vulnerable organizations, potentially including yours," AquaSec said.