back to article Merge requests and insecure GitHub workflows may lead to supply-chain attacks

Security researchers at Legit Security identified vulnerabilities in the GitHub automated workflows used by Google Firebase and Apache Camel that could have been abused to compromise those open-source projects through their GitHub CI/CD pipeline and insert malicious code. The Israel-based security shop called the exploitation …

  1. iron Silver badge

    > Legit Security said both Google and the Apache project maintainers were informed of the vulnerability and each has patched the problem in their repositories.

    No they changed a security setting, no patch needed.

    For those wondering if they are vulnerable, change your Actions permissions to "Require approval for all outside contributors" every time. It is a simple radio group.

    While you're improving your GitHub Actions security check out StepSecurity, a simple way to secure your workflows.

    1. diodesign (Written by Reg staff) Silver badge

      Patch, fix, repair

      Tomato, tomato. They had to change their stuff to make it secure.

      We've added a link to Legit's write-up now that it's live for those who want to see how it happened and how to protect themselves.


      1. Robert Grant Silver badge

        Re: Patch, fix, repair

        > Tomato, tomato

        Is this the Jeopardy answer for "Sayings that don't work written down"?

      2. Anonymous Coward
        Anonymous Coward

        Re: Patch, fix, repair

        You like po-tay-to and I like po-tah-to

        You like to-may-to and I like to-mah-to

        po-tay-to, po-tah-to, to-may-to, to-mah-to

        let's call the whole thing off

        Ellah Fitzgerald (the Jazz singer)

    2. gerdesj

      That's nice but it isn't the default and I notice that a lot of other defaults could do with tightening up.

    3. Lorribot

      Yeap, how do you do that, is that on Linux only or do I need to do something on my third party software? Sorry to be pandantic but you know, my life is complicated and i have 1000 servers, 7 different OSes and 300 different applications, which ones use that thing and how would I know?

  2. Lorribot

    Its open source, what do you expect?

    Open source, lets rely on a bunch of developers who's focus is delivering an end product, to secure every step in the development process on every open source project correctly.

    People wonder why I feel embracing open source software will bite you in the bum eventually.

    Unfortunately, its not like you have a choice these days, I refer you to Log4j amongst many others that are bundled in and hidden away.

  3. Michael Wojcik Silver badge

    To be a little more clear

    To be clear, the issue here is that the Firebase and Apache Camel repositories had poorly secured GitHub workflow pipelines

    The issue here is that GitHub workflow pipelines are too complex – GitHub itself is far too complex – and consequently a great many projects are running with trivially insecure configurations.

    Whack-a-mole is not going to fix the underlying problem, which is the software industry's appetite for ill-considered quick solutions.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like