Most active commenters
  • TheDong(4)

←back to thread

Ghrc.io appears to be malicious

(bmitch.net)
407 points todsacerdoti | 20 comments | 24 Aug 25 23:27 UTC | HN request time: 0.046s | source | bottom
1. nicce ◴[24 Aug 25 23:59 UTC] No.45008930[source]
GitHub Container registry does not even support fine-grained tokens, instead it uses classic ones [1], which makes this even more dangerous.

[1] https://docs.github.com/en/packages/working-with-a-github-pa...

Edit: most relevant issues?

https://github.com/orgs/community/discussions/38467

https://github.com/github/roadmap/issues/558

replies(2): >>45008951 #>>45009250 #
2. echelon ◴[25 Aug 25 00:03 UTC] No.45008951[source]
Someone near a computer that is feeling generous should buy up all the typo'd domain names and hand them over to Microsoft.

Microsoft should rename the registry. This is a horrible name. I know I've typo'd it before.

replies(4): >>45008966 #>>45010248 #>>45011719 #>>45017549 #
3. jsheard ◴[25 Aug 25 00:06 UTC] No.45008966[source]
Microsoft is paying top dollar for MarkMonitor, aren't they supposed to proactively register obvious typos so this kind of thing doesn't happen to their clients?
replies(1): >>45009076 #
4. VoidWhisperer ◴[25 Aug 25 00:28 UTC] No.45009076{3}[source]
My guess is that MarkMonitor is mainly used for their brand-relevant domains (microsoft, office 365, github (main site), etc), as opposed to one that a small subset of a small subset of their users of one service will use - I would imagine that microsoft likely owns hundreds of domain names and doesn't pay MarkMonitor to monitor every single one
replies(1): >>45014394 #
5. thaeli ◴[25 Aug 25 01:06 UTC] No.45009250[source]
Are there any additional mitigations folks are using for this? This issue is the only reason we can’t turn classic PATs off entirely.

Short lifetime mandatory reauth to enterprise SSO seems to be the best available, but it’s inconvenient for the single Classic PAT we actually need.

replies(1): >>45012489 #
6. TheDong ◴[25 Aug 25 04:37 UTC] No.45010248[source]
Good luck with that.

People over in this github-actions issue are struggling to get github's attention for a 1-line fix to stop hanging jobs forever https://github.com/actions/runner/issues/3792#issuecomment-3...

That bug is incredibly dumb and obvious. There's been a PR to fix it for over a year with no attention.

I bet there's not a dedicated "github domain names" team, it's probably part of some overworked platform or infrastructure team, and there's no chance in hell any email you send to microsoft or github will end up with that team ever.

You won't have anyone to transfer the names to, you'll just be holding them and paying for them forever.

The best thing you can do if you want to fix this is:

1. Don't make typos.

2. Email github and tell them to reserve typosquat domains, and know it will get ignored, or _maybe_ added to a backlog and ignored for at least the next 15 years

3. Don't make typos.

4. Don't use ghcr for anything, and always mirror public ghcr.io packages using a "bot" github account with only permissions to public repositories to minimize blast radius.

Actually, the best bet to get this fixed is to wait for Microsoft to provide "Email Github Copilot support", hope that they hooked it up so the AI is capable of making purchase decisions, and convince it to purchase about 6000 domain names that might be typoes for security reasons.

replies(3): >>45010618 #>>45010832 #>>45012883 #
7. worldsayshi ◴[25 Aug 25 05:48 UTC] No.45010618{3}[source]
> Don't use ghcr for anything

What is the alternative for small budget private code projects?

replies(1): >>45010999 #
8. fragmede ◴[25 Aug 25 06:25 UTC] No.45010832{3}[source]
Arguably, the best thing to do to "fix" the issue is to be an evil hacker, and do bad things with it, causing damage, stealing people's money, causing Microsoft to be liable, which causes them to get sued, so then they're monetarily incentivized to actually fix the problem. Just, uh, donate the money that was stolen to a charity and not be evil about it.
replies(1): >>45011008 #
9. TheDong ◴[25 Aug 25 06:48 UTC] No.45010999{4}[source]
Assuming you're not distributing container images to a huge number of people, you can just run your own docker registry with a hard-to typo name. It costs hardly anything to do: https://github.com/cloudflare/serverless-registry
replies(1): >>45011080 #
10. TheDong ◴[25 Aug 25 06:49 UTC] No.45011008{4}[source]
Someone already is "being an evil hacker" i.e. running ghrc.io

Is microsoft liable for people typoing a "docker login" command? Is there any chance of a lawsuit?

The fact that there is already someone exploiting it, and it's a big "meh" kinda proves the point perfectly that it's not really a big enough of a deal for the world to fall into chaos.

11. worldsayshi ◴[25 Aug 25 07:01 UTC] No.45011080{5}[source]
Yeah I've been thinking about doing this and I probably will. I just have a tendency to scope creep my own projects and I just decided that maybe I should just use ghcr since it's free.
12. nottorp ◴[25 Aug 25 08:50 UTC] No.45011719[source]
Why do they even need 1420 domain names for one service?

What's wrong with registry.github.com, pages.github.com etc etc?

Too much to type?

replies(1): >>45012333 #
13. koakuma-chan ◴[25 Aug 25 10:28 UTC] No.45012333{3}[source]
It may be easier to register a new domain than to get people to make a subdomain for you.
replies(1): >>45012515 #
14. lloeki ◴[25 Aug 25 10:55 UTC] No.45012489[source]
Maybe:

- create a GitHub App or something that can generate transient tokens

- implement some CLI that generates a token

- login with that token

- push

See e.g: https://medium.com/@tiwari09abhi/github-app-token-authorizat... https://martin.baillie.id/wrote/ephemeral-github-tokens-via-...

But I'm not even sure because GH auth system is all over the place and downright nuts in some places...

e.g a fine grained token with repo access can't curl a tarball with the usual URL, it has to use the /api which makes tooling that constructs URLs from repo names and versions break with no recourse as soon as you disable classic PATs

15. nottorp ◴[25 Aug 25 11:01 UTC] No.45012515{4}[source]
Isn't that an official MS service for github?
replies(1): >>45013268 #
16. antihero ◴[25 Aug 25 11:57 UTC] No.45012883{3}[source]
Apparently fixed five days ago: https://github.com/actions/runner/pull/3157

But yes a joke of a situation.

replies(1): >>45014575 #
17. koakuma-chan ◴[25 Aug 25 12:48 UTC] No.45013268{5}[source]
Yeah, and what I'm saying is that it may be hard to get people within your org to do something for you.
replies(1): >>45023659 #
18. gruez ◴[25 Aug 25 14:42 UTC] No.45014394{4}[source]
ghcr.io is registered by markmonitor.
19. TheDong ◴[25 Aug 25 14:56 UTC] No.45014575{4}[source]
"fixed" by still busylooping at 100% of a core in order to sleep.

I don't count that as totally fixed.

20. spixy ◴[25 Aug 25 18:54 UTC] No.45017549[source]
* GitHub Inc.