Thousands of open source code repositories on GitHub could be at risk from an old vulnerability called RepoJacking. This is what cybersecurity company Aqua writes in a report based on a sample of more than a million storage locations.

Upon analysis, Aqua found that up to three percent of repositories were vulnerable to a RepoJacking attack. The authors write in their report that hackers can take over part or even an entire GitHub project. The problem is that organizations that own the projects sometimes change their name and therefore create links to keep the old account name. It turns out that this very link can be exploited by attackers.

Incomplete security

According to Aqua, GitHub has taken measures, but these do not appear to be sufficient to prevent all attacks. “Despite attempts to block RepoJacking in recent years, attackers are still able to bypass security,” said Aqua’s Ilay Goldman and Yakir Kodkoda. If an attack is successful, malware can be placed with all the consequences. The security company even illustrated some attack techniques like manual and automatic.

RepoJacking isn’t a new phenomenon, Silicon Angle knows. Checkmarx wrote about this in a blog post a year ago. Even then, thousands of GitHub projects turned out to be open targets for attackers. Since then, despite multiple attempts by GitHub itself, the issue has still not been resolved. The company discovered more than 36,000 vulnerable records from June 2019 log history, well before the Checkmarx article.

Check the repositories

Noting that several projects belong to big players like Google, Aqua warned the parties involved before publishing its report. Precisely because the data predates the Checkmarx report, several account holders may have already taken steps to protect themselves. This was certainly the case with Google and Lyft, who informed Aqua that their respective repositories would no longer be used.

Organizations that own open source projects on GitHub seek advice from Aqua. For example, they need to regularly check their repositories for links to external accounts and make sure the naming conventions are valid. “If the organization changes its name, companies must ensure that they continue to use the old name. That way, they prevent attackers from using that old name to launch an attack,” Aqua said.