Your Private GitHub Repos Aren't as Private as You Think

00:00

if you thought your private GitHub

00:02

repositories were safe from prying eyes

00:04

think again this blog post caught my

00:07

attention today and I'm kind of

00:09

surprised that no one's talking about it

00:10

because this seems like a big deal

00:12

anyone can access deleted and private

00:14

repository data on GitHub specifically

00:18

you can access data from deleted Forks

00:21

deleted repositories and even private

00:23

repositories on GitHub and it's

00:25

available Forever This is known by

00:28

GitHub and intentionally designed that

00:30

way that's right this is a feature not a

00:33

bug so what's the vulnerability here how

00:35

can you access this data here's how the

00:38

vulnerability Works accessing deleted

00:40

Fork data so let's say you have a fork

00:43

of a public repository you then commit

00:46

code to your fork and you delete your

00:48

fork so it would look something like

00:50

this you would create the fork commit

00:52

something let's say that code has some

00:55

private information that you don't want

00:56

people seeing for example you might have

00:59

accidentally put an API key or a

01:01

password or something like that in there

01:03

and then you delete it now a reasonable

01:06

person would say that okay this

01:08

repository has been deleted this

01:10

information should no longer be

01:12

available so it's fine no big deal

01:15

however that is a wrong assumption the

01:18

code is actually still accessible even

01:20

though it shouldn't be right you deleted

01:22

it but it is and it's accessible forever

01:25

out of your control there is absolutely

01:27

nothing that you can do to remove that

01:29

data dat from the public record here's

01:31

how you would do that so I'm going to go

01:33

to GitHub uh let's find some repository

01:36

YT DLP that looks good let me just

01:39

create a fork of

01:45

that let's edit this read me

01:49

file

01:50

secret commit the

01:52

changes

01:55

oops and now let's say I have this

01:58

information here this secret that I

02:00

don't want to be

02:01

public let me just copy that URL and

02:05

let's say okay I noticed that I

02:06

accidentally committed some information

02:08

that I shouldn't have so I'm just going

02:10

to delete the repository thinking that

02:12

that will remove this information from

02:14

the public record so I'll go to

02:17

settings delete this repository I want

02:20

to delete this repository

02:26

yes okay now it's gone that information

02:29

should no longer be publicly available

02:31

right well maybe let's go back to the YT

02:36

DLP

02:38

repository and if I paste in this URL

02:41

that I had before which contains the

02:43

commit hash let's see what we get so

02:47

notice that here it says this commit

02:49

does not belong to any branch on this

02:51

repository and may belong to a fork

02:52

outside the repository oh look here is

02:56

that commit that I made where I deleted

02:59

all of this information from the readme

03:01

and added a secret so this information

03:04

that I thought would no longer be

03:05

accessible actually is hm interesting

03:09

notice however that we needed to

03:10

actually know the commit ID to do this

03:13

and the commit ID is a pretty long hash

03:16

so trying to brute force that is

03:18

actually quite difficult so you might

03:20

think okay well at least there's some

03:22

kind of safety there but you don't need

03:25

the full hash let's see how far we can

03:27

get let's delete all that yep still

03:30

accessible let's go back one more let's

03:32

go back two more characters yep still

03:34

accessible we delete the B4 okay then

03:37

it's not found B still not found okay

03:40

looks like in this case the minimum that

03:43

we need is six characters which isn't

03:47

enough to be safe against a Brute Force

03:48

attack like that is not a huge number I

03:51

think each one of these is 16 since it's

03:54

a heximal and so 16 to^ of

03:58

6 it's a large number 16 million but

04:03

it's not large enough that I would

04:04

consider this to be secure so anyone

04:07

that knows the commit hashes and as I

04:09

mentioned earlier even the short commit

04:11

hashes which can possibly be brute

04:13

forced then they'd be able to access all

04:15

that private information the minimum

04:17

number of characters that get requires

04:19

for a short commit hash is actually Four

04:22

so instead of 16 to the 6 the minimum is

04:25

actually 16 to the 4 which is

04:31

65,536 very much in the realm of being

04:34

brute forcible and in fact the commit

04:36

hash is actually discoverable remember

04:39

how I mentioned that you need the commit

04:40

hash to access that private information

04:43

well here's a place where you can find

04:44

it GitHub archive this is a website that

04:47

basically archives every single event

04:49

that happens on GitHub there are 15 plus

04:52

event types which I won't go into the

04:54

details of but basically this is a

04:57

massive store of information about every

04:59

single thing that happens on GitHub

05:02

which includes commits this means that

05:04

the hashes for just about every commit

05:07

on every repository that was at once

05:09

public are available on this

05:12

website and how often can we find data

05:14

from deleted Forks well the person that

05:16

wrote this blog post Joe Leon from

05:18

truffle security company found 40 valid

05:21

API keys from deleted Forks in which

05:24

apparently users did something like this

05:26

first they forked the repo then they

05:28

hardcoded an API key in into an example

05:30

file then they did some changes and then

05:32

they deleted the fork like this this is

05:35

something that a new user might want to

05:36

do they'd see a placeholder in some

05:39

example file showing how to use the

05:42

program that's in a certain repository

05:43

and they'll just change the example file

05:46

to contain the API key that seems like a

05:48

reasonable way to do things as a new

05:50

user especially if you know that you're

05:52

going to delete the fork later

05:54

unfortunately this vulnerability shows

05:56

that no you absolutely should not do

05:58

that because even if if you delete the

06:00

fork you cannot trust GitHub to actually

06:03

securely delete it however that's not

06:05

the only vulnerability here it gets

06:07

worse accessing deleted repo data so

06:10

consider this situation you have a

06:12

public repository on GitHub some user

06:14

Forks your repo you commit data after

06:16

they Fork it and they never sync their

06:18

fork with your updates and you delete

06:20

the entire repo in this case the code

06:22

that you committed after they forked is

06:24

still accessible so as long as at least

06:27

one fork exists then that information

06:29

will be publicly accessible forever so I

06:32

mentioned earlier that this is a feature

06:34

instead of a bug and why is that well

06:36

let's go into the details so GitHub

06:39

stores repositories and forks in a kind

06:41

of repository network with the original

06:43

Upstream repository acting as the root

06:45

node it's like a tree the way that git

06:48

itself is a tree right you have an

06:50

initial commit and then you have

06:52

branches on top of that and you have a

06:54

whole history that comes back to this

06:56

route however in this GitHub repository

06:59

Network when a public Upstream

07:01

repository that has been forked is

07:02

deleted instead of just deleting the

07:04

whole tree because well GitHub you know

07:07

probably shouldn't do that you wouldn't

07:10

really want your fork to be deleted if

07:12

the Upstream goes away the way that

07:13

GitHub solves this issue is by

07:15

reassigning the root node to one of the

07:17

downstream Forks however notice what

07:19

happens here all of the commits from the

07:21

Upstream repository still exist and are

07:24

accessible via any fork and according to

07:26

the author this isn't some hypothetical

07:28

scenario and apparently this just

07:30

happened last week quote I submitted a

07:32

P1 vulnerability to a major tech company

07:34

showing that they accidentally committed

07:36

a private key for an employees GitHub

07:37

account that had significant access to

07:39

their entire GitHub organization so

07:42

obviously that is a pretty big security

07:44

vulnerability the company should first

07:45

of all get rid of that API key and

07:48

second of all probably remove that from

07:50

the history if possible well what they

07:52

did is they immediately you deleted the

07:54

repository but since it had been forked

07:57

you could still access the commit

07:58

containing sens data via a fork despite

08:01

the fork never sinking with the original

08:03

Upstream repository which is very scary

08:06

that seems like a huge violation of the

08:09

trust that users have in GitHub the

08:11

implication here is that any code

08:12

committed to any public repository may

08:15

be accessible forever as long as there

08:17

is at least one fork of that repository

08:20

so even if that fork doesn't have some

08:22

commits that are on your Upstream

08:25

version or on your private version or

08:27

anywhere as long as one public Fork

08:30

exists every commit in that repository

08:33

network is public forever but it gets

08:36

worse accessing private repo data okay

08:39

so consider this common workflow for

08:41

open sourcing a new tool on GitHub so

08:43

step one is you create a private repo

08:45

that will eventually be made public you

08:47

know you might not want to create it

08:48

publicly right off the bat because it's

08:50

still in a very early State and maybe it

08:53

just doesn't make sense to have people

08:54

looking into it and you know you're just

08:57

not ready to manage the community yet

08:58

perfectly reasonable afterwards you

09:00

create a private internal version of the

09:02

repo via forking and commit additional

09:04

code for features you're not going to

09:06

make public again that makes sense let's

09:08

say that this is something that you're

09:10

trying to make money from well that

09:12

seems like a reasonable way to do it you

09:13

might have a public version that is

09:16

fully open source that has all of its

09:18

code accessible and then you add some

09:20

kind of Enterprise features that you

09:22

want to charge money for in a private

09:24

fork okay seems reasonable and step

09:27

three you make your Upstream repository

09:29

public public and keep your fork private

09:31

this seems like a fairly common workflow

09:33

and you might think that the private

09:35

features that you added to your private

09:37

Fork are inaccessible to the public but

09:40

guess what they are 100% viewable by

09:44

anyone any code committed between the

09:45

time you created an internal Fork of

09:47

your tool and when you open source the

09:49

tool those commits are accessible on the

09:51

public repository so just to clarify any

09:54

commits you made to the private Fork

09:56

after you make the Upstream repository

09:58

public or are not viewable and the

10:00

reason for that is because changing the

10:02

visibility of a private Upstream

10:03

repository results in two repository

10:05

networks one for the private version and

10:07

one for the public version so looking at

10:09

these graph these commits that are on

10:12

this private Fork of the tool are public

10:15

and again here's a demo video I'm not

10:17

going to play it if you want to see the

10:19

details check out the link it'll be in

10:21

the description and this is a fairly

10:23

common workflow right like creating

10:25

something private and then creating a

10:27

private Fork of it and then making the

10:29

original public that seems like a

10:30

totally reasonable thing that many

10:32

people would do and would assume that

10:34

everything that is in the private Fork

10:36

stays private and everything that's in

10:38

the public Upstream version is public

10:41

but no apparently with GitHub that's not

10:43

the case so what does GitHub have to say

10:45

about this well the author submitted

10:47

their findings to GitHub via their bug

10:49

program and here's the response thanks

10:52

for the submission this is an

10:53

intentional design decision and is

10:55

working as expected as noted in our

10:57

documentation we make make this

10:59

functionality more strict in the future

11:01

but don't have anything to announce

11:02

right now so it's a feature not a bug

11:06

and it's pretty clear actually in their

11:07

documentation that it was designed to

11:09

work this way under important security

11:12

considerations you can see commits to

11:14

any repository in a fork Network can be

11:16

accessed from any repository in the same

11:18

Fork Network including the Upstream

11:20

repository and under the section

11:23

changing a private repository to a

11:24

public repository they say when you

11:27

change a private repository to public

11:29

all the commits in that repository

11:31

including any commits made in the

11:32

repositories that it was forked into

11:34

will be visible to everyone so there we

11:36

go it's in the docs GitHub says it's a

11:38

feature and that's how it's intended to

11:40

work however I don't think users really

11:44

understand that or at least most users

11:46

don't at least to me I haven't looked

11:48

into these pages in detail so you know

11:50

what maybe that's entirely my fault but

11:53

I think most users would assume that if

11:55

you delete something that information

11:57

will no longer be available and then

11:59

information in a private Fork will

12:01

always remain private so perhaps it's

12:03

time for GitHub to revisit this and the

12:05

author of the blog post agrees with me

12:07

the average user views the separation of

12:09

private and public repositories as a

12:11

security boundary and understandably

12:13

believes that any data located in a

12:15

private repository cannot be accessed by

12:17

public users unfortunately as we

12:19

documented above that is not always true

12:21

what's more the action of deletion

12:23

implies the destruction of data however

12:26

as we saw deleting a repository or Fork

12:28

does not mean that your commit data is

12:30

actually deleted now before any of you

12:32

FSF Shield jump in and say oh well

12:35

clearly this is Microsoft and

12:37

ifying the product and well if they

12:39

hadn't acquired GitHub this wouldn't

12:41

have happened and to that I say no I

12:43

don't think so GitHub was designed this

12:45

way from the start where it was supposed

12:48

to be a place for open code

12:49

collaboration where everything is

12:52

visible publically and all of this

12:54

information is available to anyone that

12:56

wants to see it so I would actually say

12:58

that if anything Microsoft didn't Focus

13:01

hard enough on what Enterprises want and

13:04

that is privacy and the ability to hide

13:06

information from people I think if they

13:08

focused a bit harder on that this issue

13:10

actually wouldn't have happened because

13:12

this functionality would have been

13:14

removed or changed earlier I'm not

13:16

against open source but I'm just saying

13:18

in this case it does seem like they're

13:20

taking open architecture a bit too far

13:23

so what are the takeaways from this well

13:24

the main one is as long as a fork exists

13:27

any commit to that Repository Network

13:29

which includes commits on the Upstream

13:31

repo or Downstream forks will exist

13:34

forever you cannot delete them you

13:36

cannot hide them they will always be

13:38

publicly accessible this means that

13:41

simply deleting a commit that

13:42

accidentally added some private

13:44

information is not enough if a private

13:46

API key was committed for example you

13:49

must immediately rotate that API key if

13:52

some private information such as maybe a

13:54

person's name and social security number

13:56

were committed too bad that information

13:59

will always be publicly accessible

14:01

forever the second takeaway is that

14:03

perhaps GitHub should change this now

14:06

GitHub has a reputation for being very

14:09

good about security right they put a lot

14:12

of work into making sure that their

14:14

products are very secure that things

14:17

that are private are intended to be

14:19

private right they have a very Advanced

14:21

security program they have you know all

14:23

these certifications by all these

14:25

standards and basically they've put a

14:27

lot of work into making sure that all of

14:30

the information that is intended to be

14:32

private is private so perhaps it's time

14:35

to change the way that these repository

14:37

networks work because security is only

14:40

as good as the users and if users don't

14:44

understand the security model and

14:46

clearly they don't then perhaps it's

14:48

time to change the security model but

14:51

what do you think did you know that

14:52

GitHub works this way cuz I sure as heck

14:54

didn't let me know in the comments