Analysis of build artifacts generated by the GitHub Actions workflow within the open source repositories of major companies revealed sensitive access tokens to third-party cloud services, as well as GitHub itself. In addition, a change made this year to GitHub’s artifacts feature introduced a race condition that attackers could use to abuse previously unusable GitHub tokens.
The investigation, conducted by Yaron Avital, a researcher of Palo Alto Networks, found secrets in artifacts stored in many public stores, some of which correspond to projects maintained by Google, Microsoft, Amazon AWS, Canonical, Red Hat, OWASP, and other large organizations. . Tokens provide access to various cloud services and infrastructure, music streaming services, and more.
“This allows malicious actors to gain access to these artifacts with the potential to compromise the services these secrets provide access to,” Avital wrote in his report. “Of the many vulnerable projects we discovered during this research, the most common leak is GitHub tokens, which allows an attacker to perform actions against the GitHub domain that is being launched. This could lead to the push of malicious code that flows to production through the CI/CD pipeline, or access to secrets stored in a GitHub repository.”
Source link