12
Comments
  • 4
    I strongly believe that this is followed by Docker hub attack
  • 1
    https://www.githubstatus.com/ is online and says it's github.com online but I can't visit

    Anyone else having a problem?
  • 2
    @gitlog works fine from here
  • 1
    @ArcaneEye I guess it is my college that has some issue in the firewall then
  • 3
    This is just follow on from the docker attack.

    This was just a matter of time before repos started being held to ransom, which is why you always have a backup outside of git.
  • 4
    I may be missing something here, but isn't it a bit stupid to hold a GitHub repo hostage when, by the very distributed nature of Git, everyone who has cloned the repo already has the entire history of it?

    I mean, usually you'll have your own local copy of the repo. Even if it's slightly outdated, it's not much harm done, right?
  • 1
    @ethernetzero but not everyone maintains a copy of git repo

    I sometimes use it as a backup storage
  • 2
    @gitlog That's a good point. Maybe the underlying problem here is that too many people use Git(la|hu)b|Bitbucket as the main source of truth for their repos, instead of it being their own local working copies, as it should be.
  • 2
    So... how did they get ahold of those passwords, api keys, etc.? Brute force, password db? Was there vulnerability in git? I don't get it.

    @ethernetzero there was also the threat of making public a private repo.
    Someone could also push a commit causing a vulnerability in any project. It's scary.

    But yes, what you're saying makes sense for a lot of cases. Git repos usually can't just be deleted
  • 2
  • 1
    @erandria there were some tokens in third party apps whose tokens got stolen (as specified by github in the joint blog)

    I recommend you to visit the link once
  • 2
    @gitlog I'm sorry, I swear read the whole thing and got most of it except that part.

    How can someone steal a token from a third party app in the first place?
    Can third party apps push commits with those tokens?
    How does 2FA stop this?

    nothing is making sense in me...
  • 2
    @erandria I guess they are asking people to implement 2FA just in case instead of tokens actually passwords were revealed as they also don't completely know how this all started

    2FA doesn't affect the party to whom token was designated, the ability to push commits.

    It depends on the type of token (which is generally stored in database only and don't have a specific series or something) if the party can push

    This is as far as I know
  • 1
    @erandria as they said

    "

    Through immediate independent investigations, all three companies observed that user accounts were compromised using legitimate credentials including passwords, app passwords, API keys, and personal access tokens.

    "

    And also, they suspect gitconfig files' leak responsible they have also specified recommendations regarding that
  • 2
    @gitlog They weote that there was leakage by third party apps

    I would appreciate if they disclosed which ones. That's the weird part to me, that they don't address that.

    I would not want to use a github app with poor token storage security.
Add Comment