How attackers might use GitHub Codespaces to hide malware delivery

Attackers could start abusing GitHub Codespaces, a new service that allows developers to create and test applications inside development containers running on GitHub’s servers. Developers can make their applications accessible via public GitHub URLs for preview by others, a functionality that can be abused to distribute malware payloads in a stealthy way.

“If the application port is shared privately, browser cookies are used and required for authentication,” researchers from security firm Trend Micro said in a new report. “However, if ports are shared with the public (that is, without authentication or authentication context), attackers can abuse this feature to host malicious content such as scripts and malware samples.”

GitHub Codespaces and port forwarding

Codespaces is a cloud-based integrated development environment (IDE) that can be used to write and run code directly inside a web-based interface instead of using a locally hosted environment, which can take a lot of time to configure. Developers can use dev containers preconfigured with all the tools, libraries, and programming runtimes they need for their code to run and then execute this container on GitHub’s cloud and control it the GitHub CLI.

Dev containers will be executed automatically if they’re uploaded to a user’s repository with an accompanying configuration file. This provides a lot of flexibility and automation possibilities compared to traditional setups and GitHub offers 60 hours/month for free on a two-core VM.

Every Codespaces environment lives in its own VM and has an isolated virtual network. However, developers can choose to use a feature called port forwarding to share preview links to their applications with other members of their organization or publicly.

For example, if the user forwards an internal application on port 8080, the service will generate a unique URL of the form <GitHub_Username>-<codespace_name>-<random_identifier>-<exposed_port>.preview.app.github.dev. This is essentially a unique subdomain on the preview.app.github.dev domain.

Copyright © 2023 IDG Communications, Inc.

Source link

Tags: No tags

Leave A Comment

Your email address will not be published. Required fields are marked *