Technology

GitHub Actions is improperly configured, which may lead to hijacking of code repository and leaking confidential information – Passionategeekz

Team Passionategeekz
Team Passionategeekz
3 Min Read
GitHub Actions is improperly configured, which may lead to hijacking of code repository and leaking confidential information – Passionategeekz

Also See

Redmi K80 Extreme Edition, Redmi K Pad, Xiaomi Pad 7S Pro, and Realme 15 Series: Upcoming Launches and Updates
Redmi K80 Extreme Edition, Redmi K Pad, Xiaomi Pad 7S Pro, and Realme 15 Series: Upcoming Launches and Updates
Nothing Phone (3) Launching July 1 with Snapdragon 8s Gen 4 and Premium Upgrades
Nothing Phone (3) Launching July 1 with Snapdragon 8s Gen 4 and Premium Upgrades
iQOO Z10 Lite 5G Launched in India with Dimensity 6300, 6000mAh Battery Under ₹10,000
iQOO Z10 Lite 5G Launched in India with Dimensity 6300, 6000mAh Battery Under ₹10,000
Poco F7 5G Set to Launch in India on June 24 with Snapdragon 8s Gen 4, 7550mAh Battery
Poco F7 5G Set to Launch in India on June 24 with Snapdragon 8s Gen 4, 7550mAh Battery
Redmi Pad 2 Launched in India with 2.5K Display, HyperOS and Starting Price of ₹13,999
Redmi Pad 2 Launched in India with 2.5K Display, HyperOS and Starting Price of ₹13,999


Free Article Submission
SUBMIT YOUR ARTICLE HERE FOR FREE

Passionategeekz On June 19, a research team from cloud-native security company Sysdig found that developers and warehouse maintainers configured GitHub Actions incorrectly.The risk of hijacking of code repositories and leaking confidential information.

Passionategeekz cited Wu Dan to introduce, and the team pointed out that the core problem originated from the right pull_request_target Triggering abuse of events. Unlike the regular pull_request event, pull_request_target runs in the main branch context of the repository, rather than the merged commit environment.

This means it can access the repository’s sensitive secrets (such as API keys) and GITHUB_TOKEN’s default read and write permissions. If the developer does not restrict permissions, an attacker may steal tokens and control the repository through malicious code injection.

After scanning dozens of open source repositories, researchers found multiple high-risk cases:

  • Spotipy library: In Spotify’s open source Python library, Spotipy, an attacker can inject malicious Python packages to steal GITHUB_TOKEN and other confidential information. The Spotify team has fixed the vulnerability.

  • Mitre Repository: A similar vulnerability exists in the repository of the cybersecurity analysis tool Mitre, and researchers successfully steal tokens and increase permissions, and Mitre quickly patched the problem.

  • Splunk Security Content: In another case, an attacker could leak two confidential pieces of information from Splunk’s security_content repository, which exposed configuration flaws despite limited permissions (read only).

Stefan Chierici, director of threat research at Sysdig, pointed out that if an attacker can extract high-authorized GITHUB_TOKEN, he can tamper with workflow code, steal all secrets, and even modify the main branch file, and almost complete control of the repository.

He stressed that the use of pull_request_target is complex, and developers need to fully understand its security risks and avoid “blind dependence”. Although this feature is safe to use, it is recommended to enable it only if necessary and strictly restrict access.

Advertising statement: The external redirect links (including, not limited to, hyperlinks, QR codes, passwords, etc.) contained in the article are used to convey more information and save selection time. The results are for reference only. All articles from Passionategeekz include this statement.



Source link

Discover more from PassionateGeekz

Subscribe to get the latest posts sent to your email.

TAGGED:
Share This Article
Leave a Comment

Leave a Reply

Stay Connected

You Might Also Like

Discover more from PassionateGeekz

Subscribe now to keep reading and get access to the full archive.

Continue reading