January 18, 2023
Trend Micro discovered that attackers could take advantage of GitHub Codespaces, a new service that allows developers to create and test applications inside development containers hosted on GitHub’s servers.
It implies that threat actors are taking advantage of a legitimate feature in GitHub Codespaces to deliver malware to victim systems. Developers can normally make their applications available for others to preview via public GitHub URLs, a feature that can be abused to distribute malware payloads invisibly.
“If the application port is shared privately, browser cookies are used and required for authentication,” researchers from security firm Trend Micro said. “However, if ports are shared with the public (that is, without authentication or authentication context), attackers can abuse this feature to host malicious content such as scripts and malware samples.”
This GitHub feature allows developers more flexibility in code demonstrations, but according to Trend Micro, attackers can easily exploit it today to host malware on the platform.
The researchers show how GitHub Codespaces can be smoothly designed to act as a web server for spreading malicious content while possibly evading capture due to Microsoft traffic. Developers can use GitHub Codespaces to forward TCP ports to the public, allowing external users to test or view their applications.
When transmitting ports in a Codespace VM, the GitHub feature generates a URL to access the app running on that port, which can be set to private or public. To access the URL, a private port forward requires authentication in the form of a token or cookies. A public port, on the other hand, is open to anyone who knows the URL and does not require authentication.
The generated URL can then be used to access the hosted files, which could be used for phishing campaigns or to host malicious executables downloaded by other malware.
The sources for this piece include an article in TheHackerNews.
