GitHub bugs allow account hijacking

Software development hosting service GitHub has patched five bugs that when chained together allowed a researcher to access private repositories.

The hack combined low risk vulnerabilities to produce a working exploit which earned Sakurity consultant Egor Homakov (@Homakov) $4000 under GitHub's bug bounty program launched last week.

The vulnerabilities affected GitHub's implementation of authentication protocol OAuth and included a partial open redirect, Gist Camo bypass allowing referrer leakage, abuse of markdown caching, an OAuth token stored in CookieStore session, and automatic approval of arbitrary OAuth scope for Gist.

GitHub application security staffer Ben Toews thanked Homakov for his private disclosure which placed him at the top of the site's bug bounty leader board.

"We are really impressed with the way you combined a series of non-high risk vulnerabilities into an effective exploit, capable of stealing Gist OAuth tokens," Toews wrote in an email to Homakov.

"Needless to say, we appreciate your hard work and talent."

OAuth allows web services and apps to access GitHub user accounts without the need to share passwords, but implementation of the complex protocol is prone to security errors.

Homakov combined a bypass of redirect_uri validation with an access token vulnerability that he said produced a "powerful vulnerability".

"Without the first bug, the second would be worth nothing as well. But together they turn into a powerful vulnerability — the attacker could hijack the authorisation code issued for a 'leaky' redirect_uri, then apply the leaked code on real client's callback to log [into the] victim's account," he wrote in a blog detailing the bugs.

A final step required a crafted URL to be loaded into the victim's browser.

"NoScript is not going to help. The exploit is script-less."

An additional explanation of the vulnerabilities is available on Reddit.

The bug report follows Homakov's previous disclosures of mass assignment and cookie tossing GitHub bugs.

The researcher also last month disclosed a bug regarding a session fixation vulnerability on major Bitcoin exchange MtGox.

"Even top-notch Bitcoin websites are not as secure as payment providers should be. This vulnerability is really easy to find, so I suspect it's been used in the wild."