Published in · 5 min read · May 30, 2024
--
Picture this: you’re sipping your coffee, casually committing your latest code changes to GitHub, when suddenly you realize your commit is credited to Linus Torvalds. Sounds like a coder’s dream, right? Well, it’s a bizarre vulnerability I recently discovered. Join me on this unexpected journey as I reveal how I stumbled upon this GitHub quirk, and what it means for our beloved open-source projects.
It all started on an ordinary workday. Having accidentally left my computer at the office, I decided to use my grandmother’s computer as a temporary solution. Setting up my development environment, I cloned my company’s private repository using the GitHub CLI with my credentials. After a few hours of coding, I committed and pushed my changes as usual.
When I logged into GitHub’s web interface to review my commit, I nearly spilled my coffee. There, staring back at me, was my grandmother’s name — ” Rachel Lavi ” — attached to the commit. How could this be? I had authenticated with a completely different user! Panic set in. If my company discovered my grandmother’s identity linked to the commit, it would be a serious breach of protocol.
Determined to understand what happened, I started investigating my Git configuration. Despite my thorough search, there was no trace of my grandma’s name.
Then, a light bulb went off: The user.name and user.email settings in Git. If no user information is manually defined in the Git CLI, it defaults to the computer’s name. It occurred to me: could I actually set these to impersonate another user?
With a mix of excitement and anxiety, I decided to test my theory. I targeted a known commit, extracting the user name and email. By configuring my Git CLI with these credentials, I made a new commit. To my amazement, the commit appeared under the name of the targeted user, complete with a link to their GitHub profile. It was as if I had a secret identity, but without the cape and superpowers.
Curiosity got the better of me, and I decided to take this newfound power for a test drive. I chose a well-known open-source project on GitHub, forked the repository, and set my Git configuration to impersonate one of its main maintainers. My goal: revert the latest commit and leave a message, seemingly from the other maintainer.
After making the changes and issuing a pull request, I watched suspensefully. The project’s actual maintainer reviewed the PR, saw that it appeared to come from their trusted co-maintainer, and approved it. My changes were merged into the main project without question. Imagine the chaos if my intentions had been malicious! This playful experiment revealed a serious flaw.
If you’re curious (or skeptical), here’s how you can reproduce this quirky behavior:
- Install Git CLI and clone your target repository.
- Select a target commit you would like to impersonate the user of, and copy the commit’s hash.
- Execute the following command to view the metadata of the chosen commit:
git show <target commit hash>- Copy the username and email from the commit metadata.
- Configure your Git CLI with the target user’s information:
git config — global — replace-all user.name “<target user name>”git config — global — replace-all user.email “<target user email>”
- Verify the configuration with
git config —global —list- Make your changes to the cloned project’s source code.
- Commit and push your changes:git add <file name>
- git commit -m “some message”
- git push origin <target branch name>
- Check GitHub’s web interface and see your commit displayed as if made by the target user.
While this discovery started as a fun experiment, it uncovered a significant issue. This vulnerability undermines the trust in open-source projects. A mischievous coder could:
•Introduce harmful code into trusted repositories.
•Mislead maintainers and contributors.
•Compromise the integrity of projects and potentially harm countless users.
Additionally, this behavior can lead to significant information disclosure and privacy violations. Consider a user who uses a private email address to maintain anonymity online. If an incident like the one described occurs, it could inadvertently reveal their identity. Such unintended disclosures can have severe consequences, undermining the privacy protections that many users depend on.
Interestingly, this isn’t a new discovery. GitHub is aware of this issue and considers it a “feature” rather than a vulnerability. According to GitHub, impersonating another user through commits doesn’t grant unauthorized access to repositories or additional privileges. They emphasize that this behavior doesn’t compromise accounts and has been a part of their platform for years without significant abuse.
However, I strongly disagree with this assessment. The ability to spoof commits can have disturbing consequences. Imagine a scenario where a malicious actor injects harmful code into a widely-used open-source project. The code appears to come from a trusted contributor, potentially deceiving maintainers and users alike. This isn’t just a quirky feature; it’s a serious security flaw that needs addressing.
GitHub offers Commit Signature Verification, allowing users to sign their commits cryptographically. Enabling “vigilant mode” enhances this by displaying verification statuses for all commits, highlighting unsigned commits. However, many users are unaware of this feature, and not all commits in major projects are signed. Raising awareness and encouraging the use of commit signatures is essential to mitigate this vulnerability.
Commit Spoofing Scenarios: The top section displays impersonation, non-existing credentials, and real credentials, mirroring my boss’s actual commits in the bottom section.
My spoofed commit, linked to my boss’s profile (the owner of the repository!)
Sometimes, the most surprising discoveries come from everyday activities. While this GitHub quirk initially seemed like a fun trick, it has serious implications. By sharing this story, I hope to raise awareness and drive the adoption of measures to safeguard open-source projects. Let’s advocate for better security practices and ensure the integrity of our collaborative efforts.
So, the next time you browse GitHub, remember: with great commit power comes great responsibility! This quirk may not be a security issue in GitHub’s eyes, but responsible disclosure empowers us to raise awareness and advocate for change.
