GitHub vulnerability threatens intellectual property of users

By Alfred Vergara on January 25, 2019

A recent vulnerability was found by GitHub user sarazasara that allows users to view private code repositories (repos) after they have been revoked privileges from the repo. GitHub is a Web-hosting service that hosts more than a 100 million repos and over 31 million users, and all of the users are potentially susceptible to this vulnerability. This vulnerability allows a person who was previously a collaborator on a project to view current changes on the repo as if they still had privileges.

What is GitHub?

GitHub is a Web-based service that hosts code and files for Git. Git is an open-source software that allows a user to conveniently maintain accurate versions of software projects among different workstations and people. While GitHub is not necessary to use Git, many use GitHub because of its ease of access to Git functionality from the browser.

Git manages software through a push and pull system, where one can upload and download the current version of a project. Before a push can be committed to any branch or version of the software, Git checks if there are any conflicts and allows the user to settle differences.

Above is a figure of how Git maintains accurate versions of a project through all subjects. (Image from Edureka!)

The Vulnerability

The vulnerability is easy to take advantage of, and these are the following steps, detailed by GitHub user sarazasara:

  1. Alice has private repo P
  2. Alice grants access to P to Bob.
  3. Bob creates an organization, called B-org.
  4. Bob forks P into B-org.
  5. Alice removes access to P from user Bob.
  6. Alice makes commit into P with hash X.
  7. Bob can see commit with hash X by visiting github.com/B-org/P/tree/X.

The hash that GitHub uses for commits can be accessed through a prefix of the hash in the Universal Resource Locator (URL) that is 4 characters long. It is possible for Bob to brute-force hashes until he finds one that works, from github.com/B-org/P/tree/0000 to github.com/B-org/P/tree/ffff. This can be automated from the GitHub API for ease of use.

This issue also works the other way around. If Bob forks a private repo, P, and the owner Alice is removed access from Bob’s fork, Alice can also brute-force Bob’s hashes until the latest commits to the repo is found.

This vulnerability also allows for free organizations to have an unlimited amount of collaborators on a project, if a user of that organization forks a private repo into the organization.

Impact

GitHub is a Web-hosting service that hosts more than 100 million repos and over 31 million users. With this many repositories of code and users, the possible impact of a leak of intellectual property is massive. Disgruntled former collaborators on a project can not only unethically share the code that they last worked on, but also provide a working copy of code. Since private repos can only be accessed through a payment plan and model with GitHub, this has impact for GitHub as a service.  This is not an unprecedented privacy and security concern, as GitHub has had events of security concerns based on their search feature. If GitHub cannot reliably address the issue to the integrity of their private repository hosting services, it can mean the migration of users to other hosting services, or version control methods.

Mitigation

GitHub Pro users and owners of repos can still view users who have forked from the repo from going to the Insights -> Network tab. The owner of a project may elect to have collaborators sign Non-Disclosure forms, or a legally binding contract on private repos so that if or when they no longer have access to the repo, they will be prosecuted if the owner’s intellectual property is used without permission. Repository owners can migrate the project to a completely different and new repository to mitigate the current vulnerability and prevent malicious users from viewing an updated project. Since the vulnerability only affects GitHub, and not Git, repository owners may also look into hosting your own Git server.

Sources

https://gist.github.com/sarazasasa/9450d63f96e7ff799824fc98fc7f3b43

https://github.com/about

https://www.edureka.co/blog/what-is-git/

https://www.itworld.com/article/2921135/security/add-github-dorking-to-list-of-security-concerns.html

Related Posts