BeVigil, CloudSEK’s security search engine, has enabled its Threat Intel Researchers find 159 private GitHub repositories with a key vulnerability. The repositories have been unearthed using a github pat token that was hardcoded in 14 mobile apps’ source code. This included big players like Grofers (now BlinkIt), Pizza Hut Sverige, LineTruckMap, etc.
GitHub
GitHub is one of the world’s largest software development platforms. It reports having over 83 million developers and more than 200 million repositories. Its popularity can be attributed to how it successfully captured what software developers truly desire and delivered it to them in a near-perfect manner. GitHub is the 74th most visited website in the world and has had over 387.8 million visits in the past 3 months. Consequently, this release gains precedence as a software giant of this stature having a vulnerability could impact a lot of companies and developers.
Importance of BeVigil
CloudSEK’s researchers using BeVigil, have found 14 github tokens through the source code of 14 different mobile apps. Using this GitHub pat token, the researchers reportedly identified the impact of the key leak via GitHub documentation.
Quite suprisingly, the researchers found that using this GitHub token, anyone can clone the private repository. Researchers also found that a total of 159 repositories can be cloned using all the leaked token. Read/write access to code, seeing the commit statuses, adding team memberships as well as deleting the private repo are some of the key actions performed, using the tokens from the GitHub. This is a huge security loophole as anyone can completely remove all the source code from GitHub that in turn will impact the business of any organization.
Whenever a user submits any Android application for scanning, that application gets indexed in the BeVigil search section. The search section will contain all the popular apps that are submitted by users. Certain regexes help them find the secrets from Android applications.
The security research team using GitHub’s access token regex have reportedly found the token hardcoded into the application. This means developers embedded these keys right into the source code leaving them vulnerable to attackers. All of the organization’s source code in their private repository that should not be visible to anyone was uncovered after the BeVigil scan. Unfortunately, this vulnerability is not uncommon as this is another instance of passive API security found by the BeVigil team (see recent Razorpay disclosure).
Measures to Remediate and Mitigate the Security Loophole
- The first step in hiding your key is to ensure correct versioning processes. Code pushes are frequently not subjected to a thorough examination.
- The codebase should be examined, reviewed, and approved for publication before versioning.
- Key exposure is less likely with standardized procedures.
- Moving your tokens outside of the source file structure is another smart way to disguise your tokens. Instead, use a variable to refer to it.
A variable in the environment makes it much easier to refer to the same token in different locations, saving time and enhancing security. As a large proportion of hardcoded tokens are from old codebases, routinely rotating them helps mitigate the risk of leaked tokens. Furthermore, unused tokens are more unlikely to be invalidated to cause any real damage.
Security Keys and Secrets
- Start hashing and encrypting your key, both in transit and at rest. This should add very little overhead to your interaction times if done correctly. However, it ensures that any man-in-the-middle attacks or other breaches are difficult to leverage into larger losses.
- Personal access tokens that haven’t been used in a year, are automatically removed by GitHub as a security measure.
- It is strongly advised to set an expiration date to your personal access tokens for added security.
- Limiting the number of scopes a token can authorize on its own can help deter some attacks.
- Many flooding attacks can be avoided by establishing a hard limit on how much can be done in a short amount of time. This can also be used to limit data exfiltration, abusive API usage, and concurrent connections.
- Before pushing your code to GitHub, ensure that it undergoes rigorous security checks so that no hardcoded secrets can be leaked. Use environment variables whenever you are dealing with sensitive data.