Go to listing page

Abuse of GitHub Codespaces may Turn it into Malware Distribution Center

Abuse of GitHub Codespaces may Turn it into Malware Distribution Center
Recent research has demonstrated that it is possible to abuse the real-time code development and collaboration features of GitHub Codespaces to deliver malware. Moreover, by abusing these features, attackers can host malicious file servers on GitHub accounts.

A brief about GitHub Codespaces

GitHub Codespaces is a cloud-hosted development environment that offers pre-configured containers optimized for development projects. It allows developers to write and edit code and run it directly within a web browser.
  • It was rolled out for the public in November of last year, and all personal accounts on GitHub have a monthly quota for free use of GitHub Codespaces.
  • The platform allows developers to share their work with external users by means of TCP port forwarding for testing purposes.

But there’s a catch!

When port forwarding is used inside a Codespace environment, GitHub generates a URL to access the app running on that port. The developer can decide to keep this forwarded port public or private.
  • When the post is kept private, external users are required to authenticate by means of a token or cookies to access the URL.
  • However, public ports are accessible to everyone, and no authentication is required. 
  • Researchers were able to demonstrate that this feature can be abused by attackers to host malicious content on the platform.

Serving malware via GitHub Codespaces

Researchers demoed via a PoC that it is possible to configure GitHub Codespaces as a web server and use it to distribute malicious content.
  • An attacker can run a simple Python web server, host malicious code or malware on their Codespace, and expose the web port for public visibility. 
  • The URL generated for accessing this public repo can be used to access the malicious code without the need for any authentication. Thus, the malware can be downloaded easily, without raising any security flags. 
  • Moreover, the use of Dev Containers (full-featured development environments) makes it possible to distribute malicious content much faster and more efficiently. 

Concluding notes

Public hosting services such as GitHub Codespaces often face the risk of abuse by attackers aiming to operate malicious campaigns. Several attackers are already using similar methods for abusing other trustworthy public hosting services, such as Microsoft Azure, Google Cloud, and Amazon AWS for distributing malware. Therefore, developers and cloud security specialists should consider the risks associated with such public hosting platforms and take appropriate measures to reduce the risks.
Cyware Publisher

Publisher

Cyware