According to reports on April 23, we know that the code hosting website GitHub was exposed to a high-risk and serious vulnerability in the comment file upload system.
Hackers can exploit this vulnerability to distribute various malware. Users can upload files to a specified GitHub comment (even if the comment does not exist), and a download link will be automatically generated.
This link includes the name of the repository and its owner, which may trick victims into thinking the file is legitimate.
For example, the URL address of a file uploaded to GitHub can indicate that it comes from Microsoft, but in fact the project code never mentions the relevant content.
We have attached two examples as follows:
https//github[]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip
https//github[]com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip
Moreover, the vulnerability does not require any complex professional technology, just uploading a malicious file to a specified comment.
Attackers can upload malware in any trusted repository and then distribute it through GitHub links. Moreover, these links belong to the official URL domain name of GitHub, and the suffix is ”Microsoft” and other official repositories, so users are very likely to believe that the content of the URL download link is formal and safe.
GitHub has currently deleted some malware links but has not yet completely fixed the vulnerability.
For developers, there is currently no effective way to prevent this abuse, and the only solution is to completely disable comments.
Keep visiting for more such awesome posts, internet tips, lifestyle tips, and remember we cover,
“Everything under the Sun!”
Follow Inspire2rise on Twitter. | Follow Inspire2rise on Facebook. | Follow Inspire2rise on YouTube