GitHub Codespaces can be hijacked to send out malware

GitHub Webpage
(Image credit: Gil C / Shutterstock)

A recently introduced GitHub feature can be abused to host and distribute malware among the software developer community, experts have claimed.

Cybersecurity researchers from Trend Micro have published a report detailing how GitHub Codespaces can be abused to deliver malicious scripts to unsuspecting software developers. 

GitHub describes Codespaces, launched in November 2022 as “an instant, cloud-based development environment that uses a container to provide you with common languages, tools, and utilities for development.” In other words, developers can write and test code directly in the browser.

TechRadar Pro needs you! We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

TCP port forwarding woes

The problem lies in the fact that Codespaces allows TCP port forwarding, a well-intentioned feature allowing devs to share their work with the public, likely for testing. Whoever knows the URL, can access the work. So, in theory, a threat actor can run a Python web server, upload malware to the Codespace, open a web server port, and set the visibility as “public”. 

"To validate our hypothesis of threat modeling abuse scenario, we ran a Python-based HTTP server on port 8080, forwarded and exposed the port publicly," Trend Micro said in its report. "In the process, we easily found the URL and the absence of cookies for authentication."

Furthemore, port forwarding uses HTTP by default, but hackers can easily set it to HTTPS to reinforce the false sense of security. Adding insult to injury is the fact that GitHub is considered a trusted environment, the traffic is coming from Microsoft, and as such is likely not to raise any antivirus alarms. 

But that’s not all. A Codespaces feature called “Dev Containers” can also be abused to distribute the malware more seamlessly. This feature allows developers to create pre-configured containers holding all the necessary dependencies for a project. 

BleepingComputer said it managed to create a malicious web server with Codespaces “in less than 10 minutes, with zero experience with the feature”.

"Using such scripts, attackers can easily abuse GitHub Codespaces in serving malicious content at a rapid rate by exposing ports publicly on their codespace environments. Since each created Codespace has a unique identifier, the subdomain associated is unique as well," Trend Micro concluded. "This gives the attacker enough ground to create different instances of open directories."

GitHub is currently silent on the matter on its channels.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.