Security researcher exploits GitHub gotcha, gets admin access to all Istio repositories and more

A security researcher investigated an archive of commits on GitHub, which developers had likely thought they had deleted, uncovering secrets including a token giving admin access to all Istio repositories, widely used in the enterprise, and winning around $25K in bounties.

Researcher Sharon Brizinov was able to search public repositories on GitHub for accidental commits and search them for secrets, finding among other things a personal access token (PAT) for an Istio developer. “I analyzed this token and found it had admin access to all of Istio repositories,” he said. Istio is open source service mesh software that is widely used with Kubernetes, and if compromised could impact thousands of enterprises. The token has now been revoked.

The problem is what happens when a developer accidentally commits code that includes secrets, realizes their mistake, and attempts to remove the commit. Git repositories are designed to preserve code history, so to remove a commit is working against this; even though there are circumstances in which it is essential. A developer, for example, might hard-code a password for a quick test, or forget to exclude a file or directory containing secrets from the repository, and then make the commit before discovering the error.

Security researcher exploits GitHub gotcha, gets admin access to all Istio repositories and more

Related reading

GitHub Internal Repositories Breached via VS Code Extension

GitHub Says 3,800 Repositories Breached—TeamPCP Hackers Demand $50,000

GitHub Investigating TeamPCP Claimed Breach of ~4,000 Internal Repositories

GitHub admits major source code leak after 3,800 internal repositories breached

GitHub Confirms 3,800 Internal Repos Stolen Through Poisoned VS Code Extension…

How We Got a CISA GitHub Leak Taken Down in Under a Day