GitHub tokens leaked from prominent open source projects from Google and Microsoft
It has been discovered that GitHub authentication tokens have been leaked from several well-known open source projects on GitHub, including those from Google, Microsoft, Amazon Web Services (AWS), and Red Hat. The leakage of authentication tokens is said to have occurred through
ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts
https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/
GitHub Actions artifacts found leaking auth tokens in popular projects
https://www.bleepingcomputer.com/news/security/github-actions-artifacts-found-leaking-auth-tokens-in-popular-projects/
Unit 42 researchers uncover critical GitHub Actions vulnerability
https://www.developer-tech.com/news/unit-42-researchers-critical-github-actions-vulnerability/
GitHub Actions is a continuous integration and continuous delivery (CI/CD) tool that automates the build, test, and deployment pipeline for your project. With GitHub Actions, you can create workflows that build and test pull requests made to your repository, and deploy merged pull requests to your production environment.
GitHub Actions has a function to save files generated during workflow execution as 'artifacts'. Unit 42, a threat intelligence team of cybersecurity company Palo Alto Networks, reported that information such as GitHub tokens and API keys had been leaked from well-known open source projects on GitHub through these artifacts.
The attack method, which Unit 42 calls 'ArtiPACKED,' is possible due to a combination of factors including insecure default settings on GitHub, user misconfigurations, and insufficient security checks. One of the issues is the configuration of the 'actions/checkout' action, which clones repository code and makes it available during workflow execution.
By default, the 'actions/checkout' action stores the GitHub token in the local .git directory to enable authenticated operations in workflows. However, if a user accidentally uploads the entire checkout directory as part of the artifacts, the GitHub token in the .git folder will be exposed. The same folder may also contain API keys, access tokens to cloud services, various account credentials, etc.
Another issue is CI/CD pipelines that use environment variables to store GitHub tokens. If actions or scripts in your workflow intentionally or accidentally log these data, the logs will be uploaded as artifacts.
Unit 42 claims that these issues could allow malicious attackers to extract GitHub tokens from artifacts logs and exploit them before they expire. Unit 42 also claims that it can identify projects and public repositories that use GitHub Actions and scan them with automated scripts to narrow down the targets of attacks.
If a malicious actor discovers a GitHub token, they may be able to access private repositories, steal private source code, or inject malicious code.
As a result of Unit 42's investigation, we discovered that the following 14 large open source projects had publicly exposed artifacts containing GitHub tokens. We have already contacted the following projects, and they have reported that they have fixed the issue.
・firebase/firebase-js-sdk (Google)
・microsoft/TypeScript-repos-automation, microsoft/json-schemas, microsoft/typescript-bot-test-triggerer, Azure/draft (Microsoft)
・Ubuntu/adsys (Canonical)
・quay/clair (Red Hat)
・CycloneDX/cdxgen (OWASP)
・opensearch-project/security (AWS)
・penrose/penrose
・Aiven-Open/guardian-for-apache-kafka
・Deckhouse/Deckhouse
・datalad/git-annex
・schemacrawler/SchemaCrawler
・zama-ai/concrete-ml
・official-stockfish/Stockfish
・libevent/libevent
Unit 42 also reported this issue to GitHub's bug bounty program, but GitHub classified the issue as 'information' rather than a bug and determined that users are responsible for protecting their uploaded artifacts.
Related Posts:
in Software, Web Service, Security, Posted by log1h_ik