We Hacked GitHub for a Month: Here’s What We Found

Introduction

Reconnaissance

However, upon reviewing the information gathered, we found that there was limited scope for attack on the target, npmjs.com and npmjs.org. Our in-house product, X, made the reconnaissance process a breeze, and we’re excited to announce that the private beta will be available soon to the general public.

Focusing on Business Logic

Vulnerabilities Discovered

Even though we mentioned about 9 Vulnerabilities being reported we are going to write about 3 of them over here today which are given below :

  1. Login Verification Bypass On npmjs.com
  2. Pre-Account Takeover On npmjs.com
  3. Access Control Issue On education.github.com

Login Verification Bypass ON NPMJS

Description –

The Link was formatted like https://npmjs.com/verify/{some_random_token_here} for all the functionalities be it password reset, email verification link, or any XYZ link on this site for any purpose. Next, we observed every time you login into the application it sends a verification code to your registered email address and you have to enter that as part of the login verification feature (kind of 2FA/MFA code on email ) to successfully log into the account. we have then tried to bypass this functionality and were successfully in bypassing it as we have completely used an application in the last 2 hours we knew each functionality so we were able to relate and got the bypass read the below steps to reproduce to see how we did it.

During our examination of the authentication process and common functionalities of npmjs.com, such as updating email addresses and profiles, we discovered a peculiar behavior in the format of email verification links, paste Hacked GitHub for a Month: Here’s What We Foundsword reset links, and links sent to update email addresses. These links were formatted as https://npmjs.com/verify/{random_token}, and were used for all functionalities, including password reset, email verification, and others.

We also noticed that every time a user logged into the application, a verification code was sent to the registered email address. This verification code was required to complete the login process, acting as a form of two-factor authentication. Second thing we noticed When updating an email address on npmjs, the update process would occur without requiring a password confirmation. An email would be sent to both the old and new email addresses. The email sent to the old address would inform the recipient that if the change was not made by them, they can click a link (https://npmjs.com/verify/{some_random_token_here}) to revert the change and make their old address the current one. The email sent to the new address would contain a link to verify the new email and link it to the account that was just updated.

We encountered a surprising issue while trying to log into an account after updating the email address in the profile page. Despite not having confirmed or clicked on any links in either the old or the new email, the system displayed a message indicating that a verification code had been sent to the new, unverified address. This seemed to suggest that we would not be able to log in. However, upon closer inspection, we discovered an email sent to our old address, asking us to revert the change in order to avoid account lockout. Upon clicking the provided link (https://npmjs.com/verify/{random_token}) to revert the email, we were directed to the login page. To our surprise, when we entered our credentials, the system did not ask for the verification code and instead allowed us to log in and revert the email change.

However, upon further investigation, we were able to successfully bypass this functionality. Our deep understanding of the application, gained from spending two hours familiarizing ourselves with its features, allowed us to relate different functionalities and find the bypass. The steps to reproduce the bypass can be found below.

Click Here Or Visit https://blog.cyberxplore.com/we-hacked-github-for-a-month-heres-what-we-found/ To Read the Complete Full Blog Posted At CyberXplore Blog .

Don’t Forget To Follow Our Security Researchers –

Follow Us -

Twitter → @MrRajputHacker @Th3Pr0xyB0y

Instagram → @MrRajputHacker @vanshdevgan

Linkedin → MrRajputHacker @th3pr0xyb0y

Medium → @mrrajputhacker @th3pr0xyb0y

--

--

CyberXplore Pvt Ltd. Is Cyber Security Focused Company Helping Organization Around The World By Building Cloud Based Asset Monitoring & Automation Platform !

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cyber Xplore

CyberXplore Pvt Ltd. Is Cyber Security Focused Company Helping Organization Around The World By Building Cloud Based Asset Monitoring & Automation Platform !