GitHub fixes race condition that could have led to ‘repojacking’

GitHub has fixed a race condition vulnerability in its repository creation and user renaming operations that could have enabled threat actors to perform what is known as a repojacking attack.

Discovered and disclosed by researchers from Checkmarx, had the flaw been exploited, it could have been used to take control of code repositories and hijack them to distribute malicious code. It would also have had bad implications for the reputations of those who fell victim to it.

“Repojacking is a technique where an attacker takes control of a GitHub repository by exploiting a logical flaw that renders renamed users vulnerable,” wrote Elad Rapoport of Checkmarx.

“The attacker hijacks a legitimate, often popular, namespace on GitHub. A namespace is the combination of the username and repo name, for example: example-user/example-repo.”

Namespaces on GitHub become vulnerable to repojacking when the original username is changed using the “user rename” feature. When a GitHub user renames themselves, GitHub does not set up redirects for their old profile page or Pages sites, but does create redirects for their repositories. Users are made aware of this via a pop-up during the process.

Unfortunately, in doing so, the old username also becomes available for anybody else to claim, so once the user has been successfully renamed, a malicious actor can claim their old username, open a repo under the matching repo name, and hijack the namespace.

Other flaws in this process have previously been identified and fixed, and GitHub did have protection measures available – notably retiring popular repositories (those with more than 100 clones at the time of renaming) so that the username couldn’t be taken.

However, Rapoport found he was able to bypass these fixes by taking advantage of a race condition between the creation of a repository and the renaming of a username, by almost simultaneously doing both – using an API request for repository creation and a renamed request interception for the username change.

“Successful exploitation enables the takeover of popular code packages in several package managers, including ‘Packagist,’ ‘Go,’ ‘Swift’ and more,” he said. “We have identified over 4,000 packages in those package managers using renamed usernames and are at risk of being vulnerable to this technique in case a new bypass is found. Of these packages at risk, hundreds of them have garnered over 1,000 stars on GitHub.

“In addition, exploiting this bypass can also result in a takeover of popular GitHub actions, which are also consumed by specifying a GitHub namespace. Poisoning a popular GitHub action could lead to major supply chain attacks with significant repercussions.”

Although this repojacking issue has been fixed, it is the fourth one found in the past couple of years – three in 2022 alone – and Rapoport said it spoke to persistent risks associated with the popular repository namespace retirement mechanism.

“Many GitHub users, including users that control popular repositories and packages, choose to use the ‘user rename’ feature GitHub offers,” he said. “For that reason, the attempt to bypass the ‘popular repository namespace retirement’ remains an attractive attack point for supply chain attackers with the potential to cause substantial damages.”

In spite of the fix, Checkmarx is recommending that users avoid using retired namespaces to minimise their attack surface, and make sure there are no code dependencies that may leave a GitHub repository vulnerable. It offers its own open source tool, Chainjacking, which can assist with this.