Researchers claim that deleted GitHub data remains accessible to anyone forever

Published:

spot_img

GitHub Vulnerability Exposes Sensitive Data Even After Deletion: Researchers

GitHub’s design flaw has been exposed by researchers at Truffle Security, who have identified a vulnerability that allows malicious actors to access sensitive information even after users believe they have deleted it. This flaw, known as Cross Fork Object Reference (CFOR), enables one repository fork to access data from another fork, including private and deleted forks.

The researchers claim that GitHub intentionally designed its system to keep copies of data accessible forever, even after changes such as deletions or visibility adjustments. This means that sensitive information, such as API keys and secrets, may still be accessible through other parts of the network.

GitHub, a popular collaboration tool for software developers with over 100 million users, may inadvertently expose organizations to data breaches due to this flaw. The researchers found that even after a fork is deleted or a private repository is made public, the data can still be accessed through existing forks.

To protect users, GitHub hashes snapshots of in-progress projects, but researchers warn that these hashes can be brute-forced or accessed through GitHub’s public events API. Despite GitHub’s documentation outlining the accessibility of data, many users may not be aware that separating private and public repositories does not guarantee privacy.

This vulnerability poses significant risks to organizations, as confidential information such as API keys, passwords, and proprietary code could be exposed. In a related incident, researchers from Check Point uncovered a sophisticated phishing ring on GitHub targeting gamers, social media enthusiasts, and crypto holders through malicious repositories. This highlights the importance of addressing security vulnerabilities on platforms like GitHub to prevent data breaches and protect sensitive information.

spot_img

Related articles

Recent articles

Aussie Firm Skeggs Goldstien Confirms Qilin Ransomware Attack

Investigation Underway at Skeggs Goldstien Following Cybersecurity Incident Cybersecurity Breach Confirmed Skeggs Goldstien, a financial services company based in New South Wales, Australia, is currently addressing...

IHC Unveils $1 Billion AI-Powered Reinsurance Platform RIQ in Abu Dhabi

IHC Launches Revolutionary Reinsurance Platform in Abu Dhabi International Holding Company (IHC), a prominent investment firm based in the UAE, has unveiled the Reinsurance Intelligence...

Over 269,000 Websites Hit by JSFireTruck JavaScript Malware in Just One Month

Jun 13, 2025Ravie LakshmananWeb Security / Network Security The Rise of JSFireTruck: A New Threat in Web Security Cybersecurity experts have recently highlighted a significant threat...

Will You Fall in Love with Your AI Twin?

Embracing Our AI Twins: A Journey Toward Collaborative Intelligence The Concept of Digital Twins Imagine a world where a version of you—enhanced, fast-thinking, and caffeine-free—exists in...