Wednesday 13 March 2019

Taking Over Publicly Editable Github Wiki in Masses

Let's get familiar with a few things first!

What is Github?
GitHub is a web-based hosting service for version control using Git. Github is quite popular for its efficient service and hence all big companies like Google, Facebook, Microsoft, etc. use it for their open-source projects.

Any GitHub repository has a "wiki" page. The "wiki" page is generally used for documentation, installation instructions, etc.





With certain settings, an Organisation or a user can allow any other user (who is not a collaborator) to edit the "wiki" page. According to me, this is absolutely a bad option to be enabled.

If not appropriately observed a malicious user can edit or publish a "wiki" page on a company's official Github repository and mislead the community or user's following the repo. to download or install malware, vulnerable libraries, etc.

This vulnerability can be an excellent catalyst for malicious hackers who infect users through typosquatted malicious libraries hosted by them. An innocent user will apparently follow the wiki instructions blindly especially if the wiki is hosted on a popular organization's Github repo.

This is in general considered as a low priority security issue. But let's look at a bigger picture.

According to Github, there are around 96 Million repos. and 2.1 Million organization. Even with a success rate of 0.1%, an attacker can publish malicious content on 96,000 wiki pages on Github.


I wrote a simple tool in python using selenium which will take an organization's Github username as input, then iterate through all the repositories under that organization to find "publicly editable wiki" and then publish a sample wiki page on it as well as return the page URL.

Please find the codes on my Github
https://github.com/Shashank-In/VulEdiWi




I scanned popular organization's Github and following was the result:-

Google (https://github.com/google)

168 out of 1420 repositories had publicly editable wikis.









Facebook (https://github.com/facebook)

1 out of 162 repositories had publicly editable wikis.





Alibaba (https://github.com/alibaba)

38 out of 246 repositories had publicly editable wikis.





Microsoft (https://github.com/Microsoft)

364 out of 2251 had publicly editable wikis



Mozilla (https://github.com/mozilla)
792 out of 1960 had publicly editable wikis





2 comments:

TutorGeeks said...

Nice read. Haven't they fixed it? I can still see some of the Google repo's wiki being publicly editable.

Shashank said...

They said they are aware of it :)