high

Repo swatting attack deletes/blocks GitHub and GitLab accounts

Published Fri, Nov 1st, 2024

Platforms

Summary

A technique called "repo swatting" allows attackers to delete GitHub and block GitLab accounts by exploiting file upload features and abuse reporting mechanisms. Attackers upload malicious files to a target's repository, then report the account for hosting malicious content, potentially resulting in account deletion. The vulnerability was partially mitigated by October 2024 via changes in upload URL paths and requirement for each uploader to be authenticated (in GitHub).

Affected Services

N/A

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://sourcecodered.com/repo-swatting/

Contributed by https://github.com/sshayb

Entry Status

Finalized

Disclosure Date

Fri, Nov 1st, 2024

Exploitablity Period

Ongoing, partially mitigated in October 2024

Known ITW Exploitation

Detection Methods

Monitor repositories for unexpected file uploads, especially executables or suspicious file types. Regularly review repository contents and activity logs for any anomalies or unauthorized changes.

Piercing Index Rating

Discovered by

Paul McCarty, SourceCodeRed

More vulnerabilities...

medium

AWS CDK Bucket Squatting Risk

The AWS Cloud Development Kit (CDK) is a way of deploying infrastructure-as-code. The vulnerability involves AWS CDK’s use of a predictable S3 bucket name format (cdk-{Qualifier}-assets-{Account-ID...

Ofek Itach, Yakir Kadkoda, ...

Thu, Oct 24th, 2024

Missing JWT issuer and signer validation in ALB middleware

Miggo Security

Mon, Oct 21st, 2024

low

Data exfil via VPC endpoint denials in CloudTrail

CloudTrail delivered events to the resource owner and API caller even when the API action was denied by the VPC endpoint policy. This could have enabled a stealthy data exfiltration method in cases...

Sam Cox, Tracebit

Tue, Oct 15th, 2024

View all