Over 15,000 GitHub Repositories Vulnerable to "Repojacking" Attacks, Threatening Software Supply Chain
Plus, Unveiling Post-Exploitation Deception: Fake Lockdown Mode on Compromised iPhones Threatens Security
Unveiling Vulnerabilities in Go Modules and Exposed API Tokens Highlight Perils to Open-Source Integrity
New findings reveal a vulnerability in over 15,000 Go module repositories hosted on GitHub, exposing them to a threat termed "repojacking." Repojacking exploits changes or deletions in account usernames, allowing malicious actors to create repositories under the same name and former username to execute open-source software supply chain attacks.
Chief Technology Officer at VulnCheck, Jacob Baines, highlighted the issue, stating that more than 9,000 repositories are vulnerable due to GitHub username changes, with an additional 6,000 susceptible to account deletions. These repositories collectively house a staggering 800,000 Go module-versions.
Repojacking poses a significant risk to software repositories on GitHub, as malicious actors can leverage username changes or deletions to stage attacks, particularly affecting Go programming language modules. Unlike other package managers like npm or PyPI, Go modules are decentralized, published on version control platforms, making them more prone to such attacks.
The attack involves an attacker registering an unused username, duplicating a module repository, and publishing a new module to caching platforms like proxy.golang.org and go.pkg.dev. This bypasses GitHub's countermeasure of popular repository namespace retirement, which blocks attempts to create repositories with retired namespaces cloned more than 100 times. Vulnerability in Go modules remains as they are cached by the module mirror, allowing possible bypasses despite less frequent cloning.
VulnCheck highlighted the challenge in mitigating these repojackings, suggesting that a resolution requires intervention from either Go or GitHub. Baines advised Go developers to remain vigilant about the modules they use and the state of their repositories.
Additionally, a separate disclosure by Lasso Security revealed the exposure of 1,681 API tokens on platforms like Hugging Face and GitHub, including tokens linked to major companies like Google, Meta, Microsoft, and VMware. These exposed tokens pose threats of supply chain attacks, training data poisoning, and model theft.
The discoveries highlight the urgency for enhanced security measures on repository platforms and increased awareness among developers to safeguard against potential vulnerabilities and attacks.
Insights into a Novel Technique to Circumvent iOS Security Measures, Exploiting Lockdown Mode Vulnerabilities
Researchers at Jamf Threat Labs have unveiled a worrying technique that exploits an iPhone's Lockdown Mode, creating a deceptive appearance of heightened security while covertly maintaining access to compromised devices. Lockdown Mode, introduced by Apple as a security feature with the release of iOS 16, is designed to protect individuals, especially high-risk targets, from sophisticated digital threats such as spyware. However, despite its intended purpose, Lockdown Mode doesn't prevent malware execution on infected devices. This vulnerability allows attackers, having infiltrated a device through other security flaws, to activate a simulated Lockdown Mode, misleading users into believing their device is secure.
The fake Lockdown Mode is achieved by manipulating specific functions triggered when the setting is activated. By manipulating these functions, such as setLockdownModeGloballyEnabled, the attacker can create a fake Lockdown Mode, generate a file ("/fakelockdownmode_on"), and initiate a userspace reboot. This reboot terminates all processes and restarts the system, appearing to activate Lockdown Mode, yet it doesn't affect the kernel. As a result, any malware present on the device without persistence mechanisms continues to exist and operate even after this type of reboot, enabling surreptitious surveillance of the device's users.
Furthermore, attackers can alter Lockdown Mode settings within the Safari web browser, potentially allowing access to PDF files, which are usually restricted when Lockdown Mode is enabled.
While Lockdown Mode has been elevated to a kernel-level security feature in iOS 17, making it more difficult to modify without a system reboot, this discovery highlights potential vulnerabilities in thwarting post-exploitation tampering attempts. This latest revelation follows a previous demonstration by Jamf, where they illustrated a method to maintain access to an Apple device by tricking users into believing their device's Airplane Mode was activated. These discoveries underscore the ongoing challenges in fortifying iOS devices against sophisticated exploitation attempts.
Jobs/Internships:
Sysdig - Director of Engineering - Hybrid
Rocket Lab - Senior Software Engineer - Operations - Long Beach, California, United States · On-site
Brex - Senior Software Engineer, Product Security - On-site
Plume - Software Engineer Intern - Palo Alto, CA · Hybrid
Humane - Software Engineering Intern, Device Experiences - San Francisco, CA · On-site
Instro - Data Science & Machine Learning Intern - South San Francisco, CA · On-site