GitHub has been exposed to security vulnerabilities that can be used by hackers to distribute malware disguised as “Microsoft”

FreeBuf.COM, the network security industry portal, publishes professional security information and technical analysis every day.

Recently, the code hosting website GitHub was exposed to a high-risk and serious vulnerability, which exists in the comment file upload system.Hackers can exploit this vulnerability to distribute various malware.Users can upload files to a specified GitHub comment (even if the comment does not exist), and a download link will be automatically generated. This link includes the name of the repository and its owner, potentially tricking victims into thinking the file is legitimate.

For example, the URL address of a file uploaded to GitHub can indicate that it is from Microsoft, but in fact the relevant content is never mentioned in the project code. IT Home attaches two cases as follows:

https//github()com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip
https//github()com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip

Moreover, this vulnerability does not require any complex professional skills. You only need to upload malicious files to the specified comment. An attacker can upload malware in any trusted repository and then distribute it through a GitHub link.

Moreover, these links belong to the official GitHub URL domain name, and the suffix is ​​”Microsoft” and other official repositories, so users are very likely to believe that the content of the URL download link is formal and safe.

GitHub has removed some links to the malware and has not yet fully fixed the vulnerability. For developers, there is currently no effective enough way to prevent this abuse. The only solution is to completely disable comments.

Article Source:https://www.ithome.com/0/763/606.htm

This article is Independent point of view, no reproduction without permission, please contact FreeBuf customer service XiaoBee for authorization, WeChat: freebee2022