GitHub comments used to distribute malware (BleepingComputer)

[Posted April 24, 2024 by daroc]

BleepingComputer reported on April 20 that some malware was being distributed via GitHub. Uploading files as part of a comment gives them a URL that appears to be associated with a repository, even if the comment is never posted.

A GitHub flaw, or possibly a design decision, is being abused by threat actors to distribute malware using URLs associated with Microsoft repositories, making the files appear trustworthy.

While most of the malware activity has been based around the Microsoft GitHub URLs, this "flaw" could be abused with any public repository on GitHub, allowing threat actors to create very convincing lures.

GitHub comments used to distribute malware (BleepingComputer)

Posted Apr 24, 2024 15:16 UTC (Wed) by wtarreau (subscriber, #51152) [Link] (2 responses)

I find the principle of operation really awesome. I mean, how to trust a well-known name on a well-known site. It's comparable in principle to those who were placing high-profile company names inside their domain names or as a host name part of their domain to appear legit to the untrained reader.

Maybe as a fix it could be sufficient to hash the whole URLs and only deliver cryptic hashes for these downloads so that they don't appear more trustable than any othe one. Another approach could be to prepend "unsafe-area/" in front of the repository names maybe.

GitHub comments used to distribute malware (BleepingComputer)

Posted Apr 24, 2024 15:26 UTC (Wed) by mbunkus (subscriber, #87248) [Link] (1 responses)

I like the idea of only hashing, but noch so much of adding a prefix, whatever it may be. We humans tend to latch on to known things, meaning we might spot a well know repository name in the URL and then just stop scrutinizing the URL further.

GitHub comments used to distribute malware (BleepingComputer)

Posted Apr 25, 2024 15:41 UTC (Thu) by wtarreau (subscriber, #51152) [Link]

There are pros and cons there. One difficulty that may arise with only a hash is that if some deployment systems become popular based on this, users will be trained to trust any hash, thus all of them will look legit :-/ Worse, there will be no way to figure where it was posted. At least with a prefix it can help figure some context.

GitHub comments used to distribute malware (BleepingComputer)

Posted Apr 24, 2024 16:26 UTC (Wed) by rrolls (subscriber, #151126) [Link] (4 responses)

A wonderful example of an inventive exploit and an unintended loophole.

> The URLs for the malware installers [would appear like, for example:]
> https://github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip

I think the "right" solution here would be to change `/microsoft/vcpkg/` to `/comments/username_of_comment_author/`, or something like that.

It's `username_of_comment_author` who controls that content, so the URL should make that clear, and not associate it with a well-known entity that isn't responsible for it.

Though, I imagine they'll have a tricky time actually implementing such a change...

GitHub comments used to distribute malware (BleepingComputer)

Posted Apr 24, 2024 16:31 UTC (Wed) by josh (subscriber, #17465) [Link] (1 responses)

> I think the "right" solution here would be to change `/microsoft/vcpkg/` to `/comments/username_of_comment_author/`, or something like that.

This seems like the right answer, yeah.

This rhymes with a previous exploit of this type: if you made a PR against a repository, you could link to files via that repository and your commit hash, and they'd look like they were part of the repository. GitHub's fix was to show a banner saying they weren't part of the repository.

GitHub comments used to distribute malware (BleepingComputer)

Posted Apr 25, 2024 15:42 UTC (Thu) by wtarreau (subscriber, #51152) [Link]

Yeah I totally agree, and it's way better than my suggestion of a hash!

GitHub comments used to distribute malware (BleepingComputer)

Posted Apr 25, 2024 19:52 UTC (Thu) by srdjant (guest, #171146) [Link]

What is interesting, is that this is the same git repo that was mentioned in another LWN article's comments (https://lwn.net/Articles/967866/) regarding the actions of a specific user that was (probably innocently) suspected of being involved with the XZ attack, because of their actions (being pushy about updating a version to the vulnerable xz version) in an issue for that repo.

I would say it's probably just a random co-incidence, but I am not surprised that devs and maintainers are now looking carefully at their own, and other important projects for signs of attack (e.g. the ZSH Plugin Manager video from 8 days ago).

GitHub comments used to distribute malware (BleepingComputer)

Posted Apr 29, 2024 7:28 UTC (Mon) by eduperez (guest, #11232) [Link]

Yes, it makes sense that the files associated with a comment appear as belonging to the owner of the comment, not the owner of the repo where the comment was made. Also, the files are uploaded and linked even if the comment is abandoned and never posted; another sane measure would be to delete the files if the comment is not posted or gets deleted later.

GitHub comments used to distribute malware (BleepingComputer)

Posted Apr 24, 2024 16:48 UTC (Wed) by flussence (guest, #85566) [Link]

Oof. That's pretty bad considering they already had a separate domain name for user-generated content for exactly this reason.

GitHub comments used to distribute malware (BleepingComputer)

Posted Apr 25, 2024 2:07 UTC (Thu) by Heretic_Blacksheep (guest, #169992) [Link] (6 responses)

I haven't used Github since I graduated a couple of years ago, and I only used it then because profs were kinda expecting us to use it. I never particularly cared for using the service so I only used it in very general terms...

I realize this isn't a good answer for people that are actively using Github to encourage project communication or cooperation, but for the average person that may only be using it casually, can comments be completely turned off to prevent this kind of thing when you have no wish to engage in this way?

GitHub comments used to distribute malware (BleepingComputer)

Posted Apr 25, 2024 6:42 UTC (Thu) by taladar (subscriber, #68407) [Link] (3 responses)

What do you expect turning off comments achieve in this case?

The problem isn't comments, the problem is file uploads for comments being made accessible outside of the comment context.

GitHub comments used to distribute malware (BleepingComputer)

Posted Apr 25, 2024 9:02 UTC (Thu) by Karellen (subscriber, #67644) [Link] (2 responses)

If people can't access the "post a comment" UI for a repo, how are they going to upload a file associated with a comment to it?

GitHub comments used to distribute malware (BleepingComputer)

Posted Apr 25, 2024 9:08 UTC (Thu) by NAR (subscriber, #1313) [Link]

Exactly, how are they going to upload e.g. a screenshot for a comment? Which is really useful for GUIs...

GitHub comments used to distribute malware (BleepingComputer)

Posted Apr 25, 2024 10:00 UTC (Thu) by sidcha (subscriber, #153938) [Link]

They (attacker) would just use another project that allows comments.

GitHub comments used to distribute malware (BleepingComputer)

Posted Apr 25, 2024 12:37 UTC (Thu) by daroc (editor, #160859) [Link]

It is in fact possible to disable issues, but only for a limited amount of time. And, of course, it prevents anyone from filing issues, which many projects have a use for.

GitHub comments used to distribute malware (BleepingComputer)

Posted Apr 25, 2024 12:43 UTC (Thu) by bluss (guest, #47454) [Link]

Users can comment on any commit in a github repo, not just in issues and PRs. To turn that off I think you have to go to the 'Limit to repository collaborators' setting for 6 months, it doesn't have an indefinite setting.

GitHub comments used to distribute malware (BleepingComputer)

Posted Apr 25, 2024 14:02 UTC (Thu) by ibukanov (subscriber, #3942) [Link] (3 responses)

GitHub should show a banner with a warning when the files uploaded as a part of comments are accessed outside of the comment page.

GitHub comments used to distribute malware (BleepingComputer)

Posted Apr 25, 2024 14:45 UTC (Thu) by flussence (guest, #85566) [Link] (2 responses)

How would you display a banner on a direct link to a tar/zip file?

GitHub comments used to distribute malware (BleepingComputer)

Posted Apr 25, 2024 16:09 UTC (Thu) by ibukanov (subscriber, #3942) [Link]

The website can check for the referer and similar HTTP headers. If it matches the expected value for a media file accessed through the comment page, then return the file content. If not, then show a banner first asking to go to the comment page.

GitHub comments used to distribute malware (BleepingComputer)

Posted Apr 25, 2024 16:24 UTC (Thu) by Heretic_Blacksheep (guest, #169992) [Link]

Perhaps don't allow direct links to files that aren't part of the repository itself. Single use hash file ID that is generated each time the file is displayed might be a way to do this without revealing the direct file link. Perhaps I just need to set my disused account to private, if that would fix the problem in as far as I'm concerned. I can't fix Github itself, but I can at least potentially cover my tiny base as well as can be.