Forking a GitHub repository may expose your code flaws to others

A recently uncovered vulnerability in GitHub could potentially expose sensitive security reports of repositories to unauthorized individuals.

This issue was identified by Justin Cappos, a professor at New York University, who found that correcting code or other mistakes in repositories could inadvertently leak security reports to the repository owners. This flaw involves github repositories that contain 'security.md' files, which are meant to instruct users on how to report discovered vulnerabilities.

Cappos discovered that if someone forks a repository that includes security.md file, the file gets copied over to all of their repositories. If the security.md file contains a link that leads to a reporting system controlled by a malicious user, then any security vulnerabilities reported for the users repositories could unintentionally go to the attacker. This could allow attackers to learn about security weaknesses without the knowledge of the actual repository owners.

It's not clear whether the issue affects only public or also private repositories.

The exploit chain is quite complex:

• a malicious actor create a popular repository with a malicious 'security.md' file or takes over the 'security.md' file of a current popular repository.
• users fork the repository with the malicious 'security.md' file
• users do not have their own 'security.md' file causing the cascade of applying the malicious 'security.md' to their repositories
• the other repositories of the users have a vulnerability that other users will report causing the attacker to learn about the vulnerability.

GitHub has acknowledged this issue but has rated it as a low security risk, possibly because this situation would require a specific set of actions to be exploited, and the chance of exploitation is considered low. They are looking into ways to make the handling of security policies clearer. In the meantime, the provided the instructions on properly setting up community health files.