A recently discovered security issue in GitHub and other, similar, control system products seem to fit into the classic “it’s a feature, not a bug” category.
Security researchers last week published their findings into some research of how deleted forks in GitHub work, potentially leaving the door open for a malicious actor to steal a project key and then view deleted forks and versions of any project on GitHub.
This may not necessarily even be a *new* discovery, because users on social media were quick to point out that these products have always been designed this way, so it’s not like a new sort of exploit had just been published. But the publishing of these findings came after Truffle Security says a major tech company accidentally leaked a private key for an employee GitHub account, and despite totally deleting the repo thinking that would take care of the leak, it was still exposed and accessed by potentially malicious users.
This potential issue has not been tested in similar software like GitLab or Bitbucket, but conceivably, they’ve all been designed in the same way. The major difference for GitHub is that deleted or unpublished commits can be downloaded via a fork if the user has the correct identifying hash (or at least a portion of it).
The issue here is there is no real patch or fix to address this issue, and now it’s widely known and been publicized on the internet.
GitHub told The Register that this is part of how the software is designed, and there doesn’t appear any efforts und ..
Support the originator by clicking the read the rest link below.
