back to article For a few days earlier this year, rogue GitHub apps could have hijacked countless repos

A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories. For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized …

  1. Pascal Monett Silver badge

    Am I glad that I'm not in this circus

    "If a software vendor's private repository that contains their source code and intellectual property was leaked or deleted, this could literally mean the end of that company"

    The code I write goes on a company server and stays there. The code itself can only be modified by very few people, and they have specific IDs. There is zero risk of some random nobody reaching the server, much less accessing the database and even less deleting it.

    The Notes/Domino world has a lot of advantages.

    1. Joe W Silver badge

      Re: Am I glad that I'm not in this circus

      The Notes/Domino world has a lot of advantages


      I beg do disagree: having your own git repository (or whatever you use, subversion, mercurial...) hosted in-house gets rid of the problem as well. This is not exclusive to Lotus Notes (or that "pizza"[0] place)

      [0] I find the product they call pizza just plain horrible. Better to nip down to Kafe Spesjal (or your own local pizza place).

      1. Michael Wojcik Silver badge

        Re: Am I glad that I'm not in this circus

        It doesn't entirely "get rid of the problem".

        Using a private code repository that's not shared with people and organizations outside yours reduces the attack surface and risk quite a bit, yes.

        Using an in-house code repository that's not accessible on the public Internet reduces it further. But as we know, the "egg model" (hard network perimeter, soft inside) fails all over the place, because some attackers do get in, and then they pivot and elevate. So security is improved but there are still serious vulnerabilities.

        Using a code repository that is just a code repository and not some glorified all-in-one mess of repository and CI/CD system and code-review tool and problem-ticketing tool and probably there's a flight simulator in there somewhere, like GitHub Enterprise, considerably reduces the attack surface and further improves security.

        Using a code repository where some developer hasn't broken the permissions mechanism with a random change that wasn't caught until an external security researcher looked at it improves security.

        You can never get to absolutely secure – there's no such thing. But, yeah, not using public fucking GitHub certainly improves the situation.

        Seventy-three million developers can be wrong.

  2. Anonymous Coward
    Anonymous Coward

    M$ GitHub

    "Other online source code repositories are available."

  3. iron Silver badge

    Security company: This could have affected every developer in the world!

    Reality: If you granted a malicious app access to a repo during a 1 week window it could be affected.

    The IT security industry needs to stop with their Chicken Little approach, it isn't helping anyone least of all themselves.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like