A Russian security researcher was able to take five low severity OAuth bugs in the coding site Github and string them together to create what he calls a “simple but high severity exploit” that gave him unfettered access to users’ private repositories.
Github went on to fix the vulnerabilities “in a timely fashion” according to Homakov, who said he received a $4,000 reward, the highest Github has rewarded in the bounty program’s short time, for his work.
The main problem lies in the site’s Gist OAuth functionality. Gists are Pastebin-like repositories on Github that allow coders to share bits and pieces of their work with their contemporaries, and OAuth is an authentication protocol that can allow different entities, be it a web app or a mobile app, varying degrees of access to your account.
The first vulnerability in Github Homakov noticed was that he could bypass its redirect_uri validation by imputing a /../ path traversal. A path traversal attack allows access files and directories stored outside the web root folder to be accessed by manipulating the URL. In this case when the browser is redirected, Homakov found that he can control the HTTP parameter and trick it into not fully parsing the URL, letting him redirect to any Gist page he wants.
In fact Homakov found that whatever the client sent to get an authorization token, the provider would respond with a valid access_token, a vulnerability that could be used to compromise the log-in functionality on any site that uses it.
This – the second bug – could make it easy for an attacker to hijack the authorization code used for the redirect_uri and simply apply the leaked code on real client’s callback to log in under the victim’s account.
Homakov discovered he could leverage both bugs to trick a user into following a link to get Github to leak a code sending request to him. Using something he’s nicknamed an Evolution of Open Redirect vulnerability the code sending request is sent to an image request which Homakov can then use to then log into the victim’s account and secure access to private gists.
Gists are static pages and can even allow users to embed their own images, or at least image code. In this situation there’s a certain way the code can point to a suspicious URL and acquire the victim’s code.
Once in, Homakov found that the client reveals the victim’s actual OAuth access_token to the user agent, something he then was able to take advantage of and use to perform API calls on behalf of the victim.
Since Gist falls under the Github umbrella, Homakov found the client approves any scope it’s asked automatically. That includes allowing it to carry out specially crafted URLs that can leak code, giving him access to private GitHub repositories and Gists, “all in stealth-mode,” because the github_token belongs to the Gist client. From here Homakov has the control of the affected Github user and their Gist account.
Github kicked off its bug bounty program just over a week ago by promising to award anywhere from $100 to $5,000 to researchers who discover vulnerabilities in the site or other applications like its API or Gist. As Homakov’s vulnerability involved both Github and Gist and fetched $4,000, it was clearly of concern to the site, with the way the vulnerabilities “fit so nicely together,” impressing Github.