GitHub Leaks: How Exposed Code Repositories Threaten Business Security
Table of Contents
Company secrets take many forms. Source code, blueprints, product roadmaps, API keys, authentication tokens, and login credentials are all important to keep secret. Intellectual Property (IP) and sensitive data give a company a competitive edge, help it remain secure, and are essential to its brand and product suite. If these secrets get out, they can be highly damaging to a company. GitHub is a repository that holds many forms of company secrets and IPs. But GitHub can leak secrets. Over 39 million company secrets in the form of API keys and credentials leak from GitHub each year.
What is GitHub?
GitHub is a popular cloud-based platform that handles source code and similar IP. There are over 212 million users and 253 million public repositories (or "repos") on GitHub. Companies use the repository to manage and track code changes and store code to allow developers to co-work from anywhere on its creation and upkeep, with GitHub maintaining version control. As part of this work, developers also use GitHub to store other types of secrets, like API keys and login credentials.
GitHub has built-in security to store code, API keys, etc. However, GitHub leaks do occur.
How Does GitHub Leak Secrets?
Like other platforms and apps, GitHub has vulnerabilities and insecurities that cybercriminals can exploit during a cyberattack. The following offers an insight into GitHub's insecurities:
GitHub Vulnerabilities
Cybercriminals are adept at finding an opening that they can exploit to obtain secrets, like login credentials. Like any other application, GitHub has vulnerabilities. OpenCVE maintains a database of flaws that are known in the GitHub application. However, exploits slip through and create an opening for attackers to exploit. One such flaw in GitHub Actions is ArtiPACKED.
This software flaw allowed attackers to take control of repositories by intercepting a GitHub access token to gain access to organizations' cloud environments. Once the attacker has control of the repo, they can insert malicious code into the CI/CD pipeline, poisoning the source code.
Insecure Default Settings
Insecure default settings in any application or firmware have the potential to open an exploit for an attacker. According to data from Wiz, around 61% of organizations have secrets in public repositories, and 80% of GitHub workflows have been found to have insecure default permissions. Any cybercriminal exploiting a repo that is not adequately secured will potentially have access to multiple secrets, including login credentials, API keys, and source code.
Misconfigurations
GitHub Action workflows streamline software development using automation. However, research has shown that they may not always use security best practices. Misconfigurations allowed for malicious code injection, a lack of external verification, and the running of unverified code. These critical security flaws can create an insecure environment ripe for exploitation by nefarious actors.
Malicious Repositories
What can only be described as an infestation of malicious code repositories has stalked GitHub. At one point, millions of malicious repos were believed to be on GitHub, and recent research has positively identified over 3,200 fake repositories, with researchers naming the project GitVenom. These fake repositories fork legitimate repos and poison the forked code for nefarious purposes. The outcome of the attack is to distribute the malicious code to steal login credentials and crypto wallet addresses.
How Would a GitHub Leak Affect Your Company?
If your company becomes part of a GitHub leak you can expect one or more of the following to impact your business?
Compromised Supply Chain
Supply chain attacks affect both the supplier and the recipient. In one GitHub-related supply chain attack, 23,000 code repositories were compromised when attackers committed malicious code aimed at leaking secrets like passwords held in public repositories. Any customer receiving a code update from the supplier would be infected with password-stealing malware.
Compromised Credentials
GitHub vulnerabilities can lead to credential theft. Once credentials are compromised, a variety of follow-on attacks can occur. Attackers use the credentials to enter a network, escalate privileges to steal data, install malware, and take over accounts to impersonate executives and other employees. Attacks, like Business Email Compromise (BEC) scams, can then be executed. According to FBI data, BEC has an average cost of $137,132 per incident.
Dark Web Exposure
Stolen data, including company secrets and financial information, often ends up on the dark web and is used for further attacks, fraud, etc. This impacts a company's reputation as well as its security and compliance with data protection regulations.
How to Protect Your Company from GitHub Leaks
If your company uses GitHub, you should use best practice security measures to protect your source code and other company secrets. The following measures are recommended:
GitHub Secret Protection
Enable GitHub Secret Protection to monitor your repo for signs of compromise.
Robust Identity Management
If credentials are stolen, having robust identity security measures in place can help mitigate the attack. Deploy strict access control based on least privilege access for repositories and your broader network. Enforce least privilege access rights and use multi-factor authentication (MFA) or passwordless authentication.
Security Policies
Ensure that your security policies cover GitHub use. For example, do not store passwords in a public repository and only allow company devices to access GitHub.
Repository Privacy and Encryption
Enforce encryption and code obfuscation in GitHub repositories. Wherever possible, use private repositories for sensitive code and other secrets.
Audit a Repository
Many code projects rely on open-source or third-party libraries known as "dependencies". Carry out regular audits of your repositories and dependencies to ensure security flaws do not enter your code. GitHub provides dependency insights to allow you to monitor your open-source usage and identify any open-source CVEs (Common Vulnerabilities and Exploits). A GitHub audit should include an assessment of repository settings, permissions, access controls, and other potential vulnerabilities and compliance issues.
Enable Security Alerts
Enable security alerts for your GitHub repository and set up a process reflected in your security policy for responding to alerts.
Read more: About alerts for vulnerable dependencies - GitHub Docs
Maintain a Local Copy of Your Repository as a Backup
Create a local backup of your code for quick recovery in case of code poisoning.
Dark Web Monitoring
Monitor the dark web for evidence that your company information is being used for cybercriminal activity. Use a tool like Sentinex, which looks deeply into the dark web, to find any signs that your company has been breached and may be a cyberattack target.
FAQs
What is GitHub?
GitHub is a cloud-based repository where companies can store and work on source code. It has many tools that help developers create code, collaborate on its development, and maintain versions. GitHub provides project management options, and the GitHub Action feature facilitates the CI/CD pipeline, using automation to streamline development into production.
Does GitHub Have Built-in Security?
GitHub provides built-in security features, including GitHub Secrets Protection and GitHub Code Security.
Read more here: GitHub security features - GitHub Docs
Why do I need to ensure GitHub is secure?
GitHub has security features, but because of vulnerabilities and misconfigurations, it can be a target for attackers. Because GitHub is used to hold sensitive data, including code, API keys, and login credentials, if attackers exploit a repository, they may be able to access these company secrets.
Once accessed, they can use them to carry out attacks, including data theft and supply chain attacks that propagate malicious software code. Therefore, it is essential to follow best security practices to close any security gaps in your GitHub repo.
What kind of business data is most at risk in a GitHub leak?
The data most at risk from a GitHub leak is your software code, API keys, and login credentials. Other data, such as company proprietary information, is at risk if it is stored within the repo, for example, in documentation associated with the code.
How often should companies audit their GitHub repositories?
A company may utilize open-source code or other third-party code libraries during code development. This code is an external entity that may potentially introduce security flaws into the company's source code. Your organization must regularly audit your GitHub repository and code sources to ensure that vulnerabilities do not enter your code base.
What legal implications can arise from a GitHub leak?
If sensitive data leaks from a GitHub repository, the repercussions can include noncompliance with regulations and legal action from customers. Compliance issues with regulations depend on the industry sector. However, regulations such as GDPR, HIPAA, CCPA, and various data protection acts worldwide carry hefty fines for data leaks.