The metadata that developers look at when deciding whether to use an open source project on GitHub can be easily forged and gives attackers a way to trick users of the platform into downloading malicious code.
Developers therefore need to be diligent about verifying the identity of those committing code to the repository and not take the metadata at face value, researchers at Checkmarx warn in a new report.
Developers looking for an open source project on GitHub tend to favor those that are active, maintained, and are associated with developers that have an established track record on the platform. Among the data points that developers consider are the number of commits — or changes — that a contributor of open source code to GitHub might have made to a project over time. Git assigns a unique ID to each change that describes the specific change that was made, who created the change, and a timestamp for it. Generally, a project with a lot of commits associated with it is perceived as a sign that it is being actively maintained.
But an attacker can easily fake or forge all these data points to lend an appearance of credibility to their code and fool unwary developers into downloading malicious code, according to Checkmarx.
For example, the timestamp associated with each commit can be manipulated to make it appear like a change happened at a very different time than it did. All a threat actor has to do to pull that off is to alter two variables on their local machine, according to the report.
Easy to Establish Fake Credibility
A malicious actor who creates a brand-new account on GitHub can fabricate numerous commits with timestamps that go back over years to make it appear they have been active on the platform or a long time. "A prominent measure for a user activity on GitHub is the 'activity graph' presented on the user's profile page," Checkmarx's report says. "This graph is essentially a heatmap showing the user's activity through time. Hence, if we are able to fabricate commits with any timestamp we want, we can fill this graph with falsified activities."
Similarly, an attacker can push a poisoned commit to a GitHub repository by spoofing the identity of a trusted contributor. The attacker would just need to find out the trusted user's email address and then set the username and email address on the Git command line and commit changes. Though GitHub offers ways for developers to hide their email address, most do not use these features, making it possible for attackers to find it relatively easily, the report says.
The ability to spoof a user's account makes it possible for an attacker to populate their own project's contributor's section with the identities of other trusted individuals. This can fool developers into thinking the attacker's project is trustworthy and reliable, the security vendor says.
What makes this tactic alarming is the fact that the user being spoofed does not get any notification about their account being added as a contributor to another project.
Tzachi Zornstain, head of supply chain security at Checkmarx, says that to mitigate the risk of being fooled, developers should check if the code they plan on use was submitted by someone whose identity has been verified. GitHub offers a feature that allows developers to verify their identities when committing code.
"A developer can go and check if the commits that he is seeing are 'verified commits' or not, and based on that decide if he wants to trust those developers," Zornstain says. "If a project claims to have multiple contributors commit code [make sure] those commits are verified also."
He also recommends that developers use a GitHub feature that allows them to digitally sign their code, so their contribution is verified as their own. The feature includes a "vigilant mode" that displays the status of all code contributed under the name, including ones that others might submit under their name, GitHub also has noted that all developers who contribute code will need to turn on two-factor authentication by 2023 if they want to be able to continue doing so.
Checkmarx will also be releasing an open source tool soon that will help developers easily distinguish between commits and unverified commits to public projects so they cannot be easily tricked, he says. "If the way GitHub presents developer activity and contribution to projects would be based on verified commits," he says, "that would help drive the adoption of verified commits and won’t allow attackers to easily fool developers."