National Cyber Warfare Foundation (NCWF) Forums


Repo Jacking: Exploiting the Dependency Supply Chain


0 user ratings
2020-10-22 18:45:48
milo
Education


TL; DR


Three scenarios enable GitHub repositories to be hijacked. Linking directly to them may result in malicious code injection; don’t do it.


Background


A finding during a recent client engagement caused us to investigate the prevalence of dependency repository hijacking which is an obscure vulnerability that allows anyone to hijack a repository if its owner changes their username. This vulnerability is similar to subdomain takeover, trivial to exploit, and results in remote code injection. After analyzing open-source projects for this issue and recursively searching through their dependency graphs, we found over 70,000 impacted open-source projects; this includes popular projects and frameworks from companies like Google, GitHub, Facebook, and many others. To mitigate this issue, ensure that your project doesn’t depend on a direct GitHub URL, or use a dependency lock file and version pinning.


If you are familiar with Repo Jacking, jump straight to our Analysis.





TL; DR


Three scenarios enable GitHub repositories to be hijacked. Linking directly to them may result in malicious code injection; don’t do it.


Background


A finding during a recent client engagement caused us to investigate the prevalence of dependency repository hijacking which is an obscure vulnerability that allows anyone to hijack a repository if its owner changes their username. This vulnerability is similar to subdomain takeover, trivial to exploit, and results in remote code injection. After analyzing open-source projects for this issue and recursively searching through their dependency graphs, we found over 70,000 impacted open-source projects; this includes popular projects and frameworks from companies like Google, GitHub, Facebook, and many others. To mitigate this issue, ensure that your project doesn’t depend on a direct GitHub URL, or use a dependency lock file and version pinning.


If you are familiar with Repo Jacking, jump straight to our Analysis.




Source: SecurityInnovation
Source Link: https://blog.securityinnovation.com/repo-jacking-exploiting-the-dependency-supply-chain


Comments
new comment
Nobody has commented yet. Will you be the first?
 
return to home



Copyright 2012 through 2020 - National Cyber Warfare Foundation - All rights reserved worldwide.