{"id":33223,"date":"2024-05-08T06:34:29","date_gmt":"2024-05-08T10:34:29","guid":{"rendered":"https:\/\/www.kaspersky.co.za\/blog\/?p=33223"},"modified":"2024-05-12T14:11:31","modified_gmt":"2024-05-12T12:11:31","slug":"beware-github-malicious-links","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/beware-github-malicious-links\/33223\/","title":{"rendered":"Malware lurking in “official” GitHub and GitLab links"},"content":{"rendered":"

One of the oldest security tips is: \u201cOnly download software from official sources\u201d. \u201cOfficial sources\u201d are usually the main app stores on each platform, but for millions of useful and free open-source apps, the most \u201cofficial\u201d source is the developer\u2019s repository on a dedicated site such as GitHub or GitLab. There, you can find the project\u2019s source code, fixes and additions to the code, and often a ready-to-use build of the app. These sites are familiar to anyone with even the slightest interest in computers, software, and programming. That\u2019s why it was an unpleasant discovery for many (including IT security specialists and the developers themselves) that a file accessible at a link like github{.}com\/{User_Name}\/{Repo_Name}\/files\/{file_Id}\/{file_name}<\/em> could be published by someone other than the developer and contain\u2026 anything.<\/p>\n

Of course, cybercriminals immediately took advantage of this.\n<\/p>\n

Breaking down the problem<\/h2>\n

\nGitHub and its close relative GitLab are built around collaboration on software development projects. A developer can upload their code, and others can offer additions, fixes, or even create forks \u2013 alternative versions of the app or library. If a user finds a bug in an app, they can report it to the developer by creating an issue report. Other users can confirm the issue in the comments. You can also comment on new versions of the app. If necessary, you can attach files to the comments, such as screenshots showing the error or documents that crash the application. These files are stored on GitHub servers using links of the type described above.<\/p>\n

However, GitHub has one peculiarity: if a user prepares a comment and uploads accompanying files, but doesn\u2019t click \u201cPublish\u201d, the information remains \u201cstuck\u201d in the draft \u2013 and it\u2019s invisible to both the application owner and other GitHub users. Nevertheless, a direct link to the file uploaded in the comment is created and fully operational, and anyone who follows it will receive the file from GitHub\u2019s CDN.<\/p>\n

\"A<\/a>

A download link for a malicious file is generated after the file is added to an unpublished comment on GitHub<\/p><\/div>\n

Meanwhile, the owners of the repository where this file is posted in the comments cannot delete or block it. They don\u2019t even know about it! There are also no settings to restrict the upload of such files for the repository as a whole. The only solution is to disable comments completely (on GitHub, you can do this for up to six months), but that would deprive developers of feedback.<\/p>\n

GitLab\u2019s commenting mechanism is similar, allowing files to be published via draft comments. The files are accessible via a link like gitlab.com\/{User_Name}\/{Repo_Name}\/uploads\/{file_Id}\/{file_name}.<\/em><\/p>\n

However, the problem in this case is mitigated somewhat by the fact that only registered, logged-in GitLab users can upload files.\n<\/p>\n

A gift for phishing campaigns<\/h2>\n

\nThanks to the ability to publish arbitrary files at links starting with GitHub\/GitLab and containing the names of respected developers and popular projects (because an unpublished comment with a file can be left in almost any repository), cybercriminals are presented with the opportunity to carry out very convincing phishing attacks. Malicious campaigns<\/a> have already been discovered where \u201ccomments\u201d, supposedly containing cheating apps for games, are left in Microsoft repositories.<\/p>\n

A vigilant user might wonder why a gaming cheat would be in the Microsoft repository: https:\/\/github{.}com\/microsoft\/vcpkg\/files\/\u2026..\/Cheat.Lab.zip<\/em>. But it\u2019s much more likely that the keywords \u201cGitHub\u201d and \u201cMicrosoft\u201d will reassure the victim, who won\u2019t scrutinize the link any further. Smarter criminals might disguise their malware even more carefully, for example, by presenting it as a new version of an app distributed through GitHub or GitLab and posting links via \u201ccomments\u201d on that app.\n<\/p>\n

How to protect yourself from malicious content on GitHub and GitLab<\/h2>\n

\nWhile this design flaw remains unfixed and anyone can freely upload arbitrary files to the CDN of GitHub and GitLab, users of these platforms need to be extremely careful.\n<\/p>\n