Researchers highlighted a serious privacy and security flaw that keeps deleted and private repositories retained on GitHub. While it may appear to be a new discovery, GitHub has already transparently shared this design flaw in its Privacy Policy.
Security Issue With GitHub Retaining Private And Deleted Data
As shared in a recent blog post, researchers from Truffle Security noticed a security flaw (which turned out to be a design flaw) in GitHub.
While the post explains it all in detail, in brief, the problem exists in how GitHub has been designed. The researchers noticed that GitHub retains deleted or private repositories and deleted data after fork. That means any users, including organizations, who have been deleting data or repos after fork, hoping to have the data gone for good, are mistaken. The researchers noticed that anyone can directly access the respective commit to retrieve data. Here’s how it works.
This data exposure doesn’t only work for deleted fork data, i.e., accessing deleted fork from a public repo. Instead, if someone forks a user’s repo, and that user commits data to it after fork and deletes the entire repo without sync, the data still remains accessible.
In either case, all a user needs to retrieve deleted data is the commit ID. Below is a demonstration of how a user can access deleted repos.
Testing these scenarios even exposed a private key for an organization’s employee’s GitHub account from a deleted repository to the researcher. Explaining this behavior, the researchers stated,
The implication here is that any code committed to a public repository may be accessible forever as long as there is at least one fork of that repository.
Likewise, an upstream public repository also exposes the data from a private fork. This is especially risky for organizations sharing open-source tools via public repositories while maintaining internal private forks. The following video demonstrates this scenario.
Truffle Security named this phenomenon Cross Fork Object Reference (CFOR) because it allows explicit access to commit data from other deleted or private forks, similar to the IDOR flaw.
GitHub Is Transparent About The ‘Design Flaw’
Following this discovery, the researcher proceeded with a responsible disclosure with GitHub regarding this security issue. However, what appeared to be a flaw turned out to be GitHub’s design feature. In fact, GitHub already lists this behavior in this guide.
Hence, given that simply deleting the data from GitHub won’t actually make it go away for good, users must remain vigilant when sharing sensitive data, such as private keys on GitHub repos. In case of leaked private keys, researchers recommend key rotation as a safety measure.
Let us know your thoughts in the comments.