Sensitive data published through GitHub can be accessed even after being deleted
Facepalm: Researchers are rediscovering a previously known issue with GitHub, a platform used by hundreds of millions of developers around the world. They are even proposing a new class of vulnerabilities to describe the problem, but the company doesn’t seem interested in addressing it.Sensitive data published through GitHub can be accessed even after being deleted
Security analysts at Truffle Security confirmed that developers can access data from deleted forks, deleted repositories, and even private repositories hosted on GitHub. The issue could be exploited as a potent attack vector by malicious actors, and the researchers have coined a new term to describe it: Cross Fork Object Reference (CFOR).
You can read more Technology articles
A CFOR vulnerability occurs when a fork of a GitHub repository can access sensitive data from another fork. Data from private and deleted forks can be easily retrieved and directly accessed if a rogue third party knows the SHA-1 hash related to a commit. Every single commit saved on GitHub database servers has its own hash.
Truffle analysts demonstrated the CFOR issue by forking a previously created repository, committing data to it, and then deleting the fork. A commit to the now-deleted fork would still be accessible through the original repository, indicating that the data is stored on GitHub servers even after developers believe they have deleted it for good.
The gist of the issue, the researchers said, is that “destructive” actions on GitHub’s repository network remove references to commits but don’t erase the actual data. Commits are no longer available through the “standard” GitHub UI and normal git operations, but a previously known commit hash can still be used to access them directly.
How can this be a security issue? Truffle Security noted that commits in public repositories can inadvertently contain highly sensitive data, including passwords or supposedly “secret” API keys. Even a part of an SHA-1 hash can be enough to access a “deleted” commit, as GitHub seems to be working behind the scenes to “autocomplete” direct access requests.
The researchers were able to “easily” find 40 valid API keys from deleted forks related to commonly forked public repositories from a “large” AI company. “Commit hashes can be brute-forced through GitHub’s UI, particularly because the git protocol permits the use of short SHA-1 values when referencing a commit,” the researchers explained. A short SHA-1 is the minimum number of characters required to avoid a collision with another unique commit hash, and just four characters are enough to start seeking “deleted” secrets in GitHub commits.Sensitive data published through GitHub can be accessed even after being deleted
GitHub responded to CFOR claims by Truffle Security, stating that this is the intended, documented behavior of the development platform. Truffle isn’t convinced, noting that the service should implement new measures to avoid CFOR. Other git-based platforms such as Bitbucket and GitLab are likely affected by the same issue, the researchers said.
Follow HiTrend on X