Public secrets exposure leads to supply chain attack on GitHub CodeQL

(www.praetorian.com)

297 points cyberbender | 1 comments | 30 Mar 25 19:54 UTC | HN request time: 0s | source

Show context

junto ◴[30 Mar 25 21:13 UTC] No.43527708[source]▶

>>43527044 (OP) #

They weren’t kidding on the response time. Very impressive from GitHub.

replies(1): >>43527835 #

belter ◴[30 Mar 25 21:28 UTC] No.43527835[source]▶

>>43527708 #

Not very impressive to have an exposed public token with full write credentials...

replies(2): >>43527843 #>>43528012 #

toomuchtodo ◴[30 Mar 25 21:52 UTC] No.43528012[source]▶

>>43527835 #

Perfect security does not exist. Their security system (people, tech) operated as expected with an impressive response time. Room for improvement, certainly, but there always is.

Edit: Success is not the absence of vulnerability, but introduction, detection, and response trends.

(Github enterprise comes out of my budget and I am responsible for appsec training and code IR, thoughts and opinions always my own)

replies(3): >>43528509 #>>43528711 #>>43528803 #

belter ◴[30 Mar 25 23:22 UTC] No.43528803[source]▶

>>43528012 #

> Their security system (people, tech) operated as expected

You mean not finding the vulnerability in the first place?

This would allow:

- Compromise intellectual property by exfiltrating the source code of all private repositories using CodeQL.

- Steal credentials within GitHub Actions secrets of any workflow job using CodeQL, and leverage those secrets to execute further supply chain attacks.

- Execute code on internal infrastructure running CodeQL workflows.

- Compromise GitHub Actions secrets of any workflow using the GitHub Actions Cache within a repo that uses CodeQL.

>> Success is not the absence of vulnerability, but introduction, detection, and response trends.

This isn’t a philosophy, it’s PR spin to reframe failure as progress...

replies(1): >>43528852 #

1. toomuchtodo ◴[30 Mar 25 23:29 UTC] No.43528852[source]▶

>>43528803 #

This is not great based on the potential exposure, but also not the end of the world. You’re free to your opinion of course wrt severity and impact, but folks aren’t going to leave GitHub over this in any material fashion imho. They had a failure, they will recover from it and move on. It’s certainly not PR from me, I don’t work for nor have any financial interest in GH or MS. I am a security person though, these are my opinions based on doing this for ~10 years (I am consistently exposed to security gore in my work), and we likely have an expectations disconnect.

As a customer, I’m not going to lose sleep over it. I’m going to document for any audits or other governance processes and carry on. I operate within "commercially reasonable" context for this work. Security is just very hard in a Sisyphus sort of way. We cannot not do it, but we also cannot be perfect, so there is always going to be vigorous debate over what enough is.

↑