Researchers at Truffle Security have found, or arguably rediscovered, that data from deleted GitHub repositories (public or private) and from deleted copies (forks) of repositories isn’t necessarily deleted.

Joe Leon, a security researcher with the outfit, said in an advisory on Wednesday that being able to access deleted repo data – such as APIs keys – represents a security risk. And he proposed a new term to describe the alleged vulnerability: Cross Fork Object Reference (CFOR).

“A CFOR vulnerability occurs when one repository fork can access sensitive data from another fork (including data from private and deleted forks),” Leon explained.

For example, the firm showed how one can fork a repository, commit data to it, delete the fork, and then access the supposedly deleted commit data via the original repository.

The researchers also created a repo, forked it, and showed how data not synced with the fork continues to be accessible through the fork after the original repo is deleted. You can watch that particular demo.

  • radivojevic@discuss.online
    link
    fedilink
    English
    arrow-up
    23
    arrow-down
    2
    ·
    5 months ago

    Yup. Along with the code from huge organizations. I always thought it was funny that people put their code online, blindly trusting some random company that got gobbled up by Microsoft.

    • 4am@lemm.ee
      link
      fedilink
      English
      arrow-up
      15
      arrow-down
      1
      ·
      5 months ago

      Along with every private key that was accidentally committed.

      • radivojevic@discuss.online
        link
        fedilink
        English
        arrow-up
        11
        arrow-down
        1
        ·
        5 months ago

        Ha ha, way way back in the day when I didn’t understand how keys worked, I sent a private key to another developer when they asked for my public. They were kind enough to educate me.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          5
          ·
          5 months ago

          As a lifelong troll, I would’ve just generated a new pub key and made a bunch of commits as you. Then two days later, I would tell you what’s up once you had time to process the confusion.

    • Chocrates@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      ·
      5 months ago

      Your point is valid, but many (most?) enterprises don’t use a forking worlflow, so I suspect open source projects will be hit harder, sadly