Using CloudSEK’s security search engine BeVigil, CloudSEK Threat Intel Researchers have found 159 private GitHub projects containing the source code of 10 firms. These repositories contained source code of Android apps with hardcoded Github Personal Access Tokens.
GitHub is one of the world's largest software development platforms. It reports having over 83 million developers and more than 200 million repositories. Its popularity can be attributed to how it successfully captured what software developers truly desire and delivered it to them in a near-perfect manner. GitHub is the 74th most visited website in the world and has had over 387.8 million visits in the past 3 months. Which makes this release all the more interesting as a software giant of this stature having a vulnerability could impact a lot of companies and developers.
CloudSEK’s researchers using BeVigil, CloudSEK’s security search engine, were able to find 129 private GitHub repositories that contained source code of 10 organizations.The reason they found the private GitHub repositories was because these repositories contained source code of Android apps with hardcoded Github Personal Access Tokens. BeVigil has identified that the attacker has full access to repositories, including private repositories of the exposed companies. That includes read/write access to code, commit statuses, repository and organization projects, invitations, collaborators, adding team memberships, deployment statuses, and repository webhooks for repositories and organizations. Also grants the ability to manage user projects. Further anyone can be granted access to delete packages from GitHub and this could turn out to be fatal for the company’s infrastructure, find the full report [HERE]
Whenever a user submits any Android application for scanning, that application gets indexed in the BeVigil search section. The search section will contain all the popular apps that are submitted by users. Certain regexes help them find the secrets from Android applications. Their security research team using GitHub’s access token regex were able to find the token hardcoded into the application. This means developers embedded these keys right into the source code leaving them vulnerable to attackers. All of the organization’s source code in their private repository that should not be visible to anyone was uncovered after the BeVigil scan. Unfortunately, this vulnerability is not uncommon as this is another instance of passive API security found by the BeVigil team (see recent Razorpay disclosure).
The full list of repositories that we discovered in our analysis can be found below:
|
Package |
Title |
Category |
Installs |
Total Private Repo Leaking |
|
Grofers is now blinkit |
10,000,000+ |
26 |
||
|
Line - Get cash now. Pay later. |
Lifestyle
|
100000 |
13 |
|
|
Pizza Hut Sverige |
Food and Drink |
50000 |
6 |
|
|
Gini: Nutrition Tracker & Smart Vitamins |
Health and Fitness |
10000 |
30 |
|
|
Waynes Coffee |
Food and Drink |
10000 |
6 |
|
|
Sneakerdraws |
Shopping
|
5000 |
16 |
|
|
Gronda - For Chefs & Foodies |
Social |
100000 |
25 |
|
|
Discover Seoul Pass |
Travel and Local |
10000 |
0 |
|
|
TruckMap - Truck GPS Routes
|
Maps & Navigation
|
100000 |
0 |
|
|
Cricuru |
Business |
10000 |
10 |
|
|
Holy Greens
|
Education |
10000 |
6 |
|
|
com.app.calgarycoopconnect |
Team Co-op |
Business
|
500 |
10 |
|
Flyx - Talk Fav Movies, Shows |
Entertainment
|
50000 |
3 |
|
|
se.leeroygroup.nakedjuicebar |
Naked Juiceba |
Food_And_Drink |
100 |
6 |
|
com.StockMarketAlarms.StockAlarm |
Stock Alarm - Alerts, Screener |
Finance |
10000
|
14 |
Remediation and Mitigation
The first step in hiding your key is to ensure correct versioning processes. Code pushes are frequently not subjected to a thorough examination. The codebase should be examined, reviewed, and approved for publication before versioning. Key exposure is less likely with standardized procedures. Moving your tokens outside of the source file structure is another smart way to disguise your tokens. Instead, use a variable to refer to it. A variable in the environment makes it much easier to refer to the same token in different locations, saving time and enhancing security. As a large proportion of hardcoded tokens are from old codebases, routinely rotating them helps mitigate the risk of leaked tokens; unused tokens are more unlikely to be invalidated to cause any real damage. Security Keys and Secrets: Start hashing and encrypting your key, both in transit and at rest. This should add very little overhead to your interaction times if done correctly, but it ensures that any man-in-the-middle attacks or other breaches are difficult to leverage into larger losses
Personal access tokens that haven't been used in a year are automatically removed by GitHub as a security measure. It is strongly advised to set an expiration date to your personal access tokens for added security. Limiting the number of scopes a token can authorize on its own can help deter some attacks. Many flooding attacks can be avoided by establishing a hard limit on how much can be done in a short amount of time, which can also be used to limit data exfiltration, abusive API usage, and concurrent connections. Before pushing your code to GitHub, ensure that it undergoes vigorous security checks so that no hardcoded secrets can be leaked. Use environment variables whenever you are dealing with senstive data. Preventing is always better than
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
