A newly discovered security vulnerability in GitHub Actions could expose sensitive tokens through leaked artifacts, putting countless software projects at risk, including those by big tech giants such as Google, Microsoft, and Red Hat. These tokens are used to authenticate and manage various cloud services and can inadvertently be included in publicly built artefacts.
If obtained by malicious actors, these tokens could grant unauthorised access to cloud environments, allowing them to inject malicious code or compromise critical infrastructure.
Artifacts are files generated during a workflow’s build process and handled within GitHub Actions. They can include compiled code, test reports, and deployment packages. Unfortunately, unsecured artifacts, such as GitHub tokens or cloud service credentials, can leak sensitive information.
“A combination of misconfigurations and security flaws can make artifacts leak tokens, both of third-party cloud services and GitHub tokens, making them available for anyone with read access to the repository to consume,” researchers note. “This allows malicious actors with access to these artifacts the potential of compromising the services to which these secrets grant access.”
GitHub tokens, like GITHUB_TOKEN and ACTIONS_RUNTIME_TOKEN, are essential for authenticating and interacting with repositories during workflow execution.
However, due to a combination of misconfiguration and inherent security flaws, these tokens can find their way into publicly accessible artifacts. Once exposed, anyone with read access to the repository can exploit them, potentially leading to unauthorised code execution, data breaches, and other severe security risks.
Further analysis by cybersecurity experts reveals that this vulnerability is not limited to small or obscure projects. Instead, it affects some of the prominent open-source initiatives, including those of Google, Microsoft, and Red Hat.
Before mitigation, these vulnerabilities could have impacted millions of users, highlighting the far-reaching implications of insecure artefact management.
“The research laid out here allowed me to compromise dozens of projects maintained by well-known organisations, including firebase-js-sdk by Google, a JavaScript package directly referenced by 1.6 million public projects, according to GitHub,” said a cybersecurity expert.
Once in possession of these tokens, an attacker could execute a range of malicious activites. For instance, they could inject malicious code into the repository, which could be propagated through the CI/CD pipeline into producton environments.
This scenario is particularly concerning for open-source projects, where such breaches could go unnoticed until significant damage has been done.
Moreover, the study demonstrates how attackers could exploit a race condition introduced by a recent GitHub update. This update allows artifacts to be downloaded before a workflow completes, providing a narrow window of opportunity for attackers to extract and use tokens before they expire.
In one instance, the researchers successfully exploited this falw to create a brach within an open-source project without the necessary permissions, showcasing the potential for unauthorised code changes.
In response to these findings, several affected projects have taken swift action to secure their workflows. The researchers also developed a proof-of-concept custom action, upload-secure-artefact, which audits artefacts for sensitive information before they are uploaded, preventing accidental exposure.
Despite these efforts, researchers warn that the responsibility for security artifacts largely falls on the users of GitHub repositoris. Security experts recommend reducing workflow permissions, auditing artifact creation processes, and adopting a least-privilege approach to minimise the risk of token leakage.
In the News: Proton VPN extension is now free for Chrome and Firefox-based browsers