A recently introduced GitHub feature can be abused to host and distribute malware (opens in new tab) among the software developer community, experts have claimed.
Cybersecurity researchers from Trend Micro have published a report detailing how GitHub Codespaces can be abused to deliver malicious scripts to unsuspecting software developers.
GitHub describes Codespaces, launched in November 2022 as “an instant, cloud-based development environment that uses a container to provide you with common languages, tools, and utilities for development.” In other words, developers can write and test code directly in the browser.
TCP port forwarding woes
The problem lies in the fact that Codespaces allows TCP port forwarding, a well-intentioned feature allowing devs to share their work with the public, likely for testing. Whoever knows the URL, can access the work. So, in theory, a threat actor can run a Python web server, upload malware to the Codespace, open a web server port, and set the visibility as “public”.
“To validate our hypothesis of threat modeling abuse scenario, we ran a Python-based HTTP server on port 8080, forwarded and exposed the port publicly,” Trend Micro said in its report. “In the process, we easily found the URL and the absence of cookies for authentication.”
Furthemore, port forwarding uses HTTP by default, but hackers can easily set it to HTTPS to reinforce the false sense of security. Adding insult to injury is the fact that GitHub is considered a trusted environment, the traffic is coming from Microsoft, and as such is likely not to raise any antivirus alarms.
But that’s not all. A Codespaces feature called “Dev Containers” can also be abused to distribute the malware more seamlessly. This feature allows developers to create pre-configured containers holding all the necessary dependencies for a project.
BleepingComputer said it managed to create a malicious web server with Codespaces “in less than 10 minutes, with zero experience with the feature”.
“Using such scripts, attackers can easily abuse GitHub Codespaces in serving malicious content at a rapid rate by exposing ports publicly on their codespace environments. Since each created Codespace has a unique identifier, the subdomain associated is unique as well,” Trend Micro concluded. “This gives the attacker enough ground to create different instances of open directories.”
GitHub is currently silent on the matter on its channels.
Via: BleepingComputer (opens in new tab)
