July 25, 2024 at 03:59PM
Truffle Security researchers discovered a vulnerability termed CFOR, allowing data access from deleted GitHub repository forks. Accessing a deleted commit through the original repo’s fork poses security risks. GitHub views this as an intended feature, not a flaw. The platform contains lingering “dangling commits” even after deletion. Truffle Security advises GitHub to reevaluate its stance.
From the meeting notes, it is clear that Truffle Security researchers have identified a potential security vulnerability in GitHub’s handling of deleted repositories and their copies (forks). This vulnerability, referred to as Cross Fork Object Reference (CFOR), allows sensitive data from deleted or private forks to be accessed, creating a potential risk for organizations and individuals.
The researchers found several instances where deleted repositories still allowed access to sensitive data via their forks, including a situation involving a critical vulnerability report submitted to a major technology company. It was discovered that even after the original repository was deleted, the sensitive data could still be accessed through a fork.
GitHub’s response to this issue reflects their stance that this behavior is intentional and documented, considering it a feature rather than a vulnerability. The company asserts that this behavior is inherent to how fork networks work and is consistent with their documentation.
Truffle Security advocates for reconsideration of GitHub’s position, arguing that the average user expects a clear distinction between security levels of public and private repositories, which may not always be the case. They also emphasize the expectation that the act of deletion should effectively remove commit data, which is not always true in practice.
There are suggestions for potential improvements, such as creating a distinction in commit access between different forks and implementing a feature to permanently delete commits instead of leaving them dangling.
Overall, the meeting notes highlight the need for further discussion and potential action to address the identified security concerns related to repository deletion and data access via forks.