GitHub Vulnerability Exposes Sensitive Data Even After Deletion: Researchers
GitHub’s design flaw has been exposed by researchers at Truffle Security, who have identified a vulnerability that allows malicious actors to access sensitive information even after users believe they have deleted it. This flaw, known as Cross Fork Object Reference (CFOR), enables one repository fork to access data from another fork, including private and deleted forks.
The researchers claim that GitHub intentionally designed its system to keep copies of data accessible forever, even after changes such as deletions or visibility adjustments. This means that sensitive information, such as API keys and secrets, may still be accessible through other parts of the network.
GitHub, a popular collaboration tool for software developers with over 100 million users, may inadvertently expose organizations to data breaches due to this flaw. The researchers found that even after a fork is deleted or a private repository is made public, the data can still be accessed through existing forks.
To protect users, GitHub hashes snapshots of in-progress projects, but researchers warn that these hashes can be brute-forced or accessed through GitHub’s public events API. Despite GitHub’s documentation outlining the accessibility of data, many users may not be aware that separating private and public repositories does not guarantee privacy.
This vulnerability poses significant risks to organizations, as confidential information such as API keys, passwords, and proprietary code could be exposed. In a related incident, researchers from Check Point uncovered a sophisticated phishing ring on GitHub targeting gamers, social media enthusiasts, and crypto holders through malicious repositories. This highlights the importance of addressing security vulnerabilities on platforms like GitHub to prevent data breaches and protect sensitive information.