Content Injection Attack on GitHub

fscaramuzza 1 year ago |

GH just fixed it, but there's a snapshot from few hours ago: https://web.archive.org/web/20240608060046/https://github.co...

pheatherlite 1 year ago | |

That's an impressive turnaround.

tyzoid 1 year ago | |

It's still working for me on the live site

noman-land 1 year ago | |

Brilliant

wokwokwok 1 year ago |

You can see in the commit log from on https://github.com/younesbram/younesbram/commit/4282312e4ec3... where the first PoC commit is pushed up.

The thing I find interesting is that this wasn't a random discovered; like, you look at the first commit in the sequence and you'll see.

> \ce{$\unicode[goombafont; color:red; pointer-events: none; ...

ie. This isn't some random chance discovery.

This is someone looking to use a specific exploit with the ```math tag, already certain that there's some way of doing it.

How strange.

rawling 1 year ago | |

This isn't the source of it. I came across this on Twitter last night and traced it back a bit to try to share "the original" with my colleagues. The earliest I found was https://x.com/cloud11665/status/1799136093071163396 which I think is slightly earlier than the second commit on this repo.

jraph 1 year ago | |

I don't think you can really trust commit history to deduce this:

- the history can be rewritten, with push --force. The author might have iterated by force pushing one commit

- The author could have discovered it by change in a private repository, or another repository that they deleted

wokwokwok 1 year ago | | |

Honestly, I doubt the author is playing the “deep game” of looking like they’re just messing around while secretly being a secret agent and (for some fathomless reason) making it look like it with an artificial git history.

So in general, yes, but in this case, I doubt it. I’m pretty sure this git history is a real and true log of them dicking about trying to get the exploit they saw on twitter working.

…but, I guess, you could be right. /shrug

jraph 1 year ago | | |

I do occasionally force push myself, mostly for making my history look clean, not really secretly hiding stuff.

And if I had to tweak / study a GitHub exploit, I would definitely force push to try stuff without leaving a trail for meaningless commits.

It actually didn't occur to me that the author would do this for messing around, but it could be indeed. :-)

mesmertech 1 year ago | |

that was the first iteration of CSS injection that was working, that github then patched. The new one is the new iteration that still works

it was found by a bunch of anime-pfps on twitter and went "viral"

DaiPlusPlus 1 year ago | | |

> it was found by a bunch of anime-pfps on twitter

I think you mean “infosec professional”

pindab0ter 1 year ago | | |

What does one's pfp matter, if what they found holds water?

dag11 1 year ago | | |

In this case it adds to their credentials

sshine 1 year ago | | |

What’s a pfp?

codetrotter 1 year ago | | |

Profile picture

pandaxtc 1 year ago |

I think the \unicode CSS injection used here was reported to the MathJax library a few months ago - https://github.com/mathjax/MathJax/issues/3129

dayjaby 1 year ago |

Explanation for this with a better link: https://news.ycombinator.com/item?id=40615804

sva_ 1 year ago | |

That goes right onto my 'convoluted explanations that make things more complicated than they really are' stack.

epr 1 year ago | | |

Feynman's Razor

alexvitkov 1 year ago | | |

To understand monads, imagine you're in the middle of an infinite ocean. The ocean represents possibilities, and each wave represents a choice. Monads are invisible fish that you can't see but guide your boat. You don't know where you're going, and the fish don't either. Sometimes, they lead you to islands of coconuts, but other times they take you to whirlpools. You have a magical net that catches these fish, but the net has holes, so not all fish stay. Monads are these fish that might or might not help you navigate the infinite ocean, depending on whether they feel like it.

SebFender 1 year ago | |

ok that lego thing is far out... not that great but I guess it helps people understand - lol

op00to 1 year ago | | |

It did not help me. A Lego castle with … a secret magical tunnel? Just explain things, no need to besmirch Lego in this case.

rvnx 1 year ago |

Source-code: https://raw.githubusercontent.com/younesbram/younesbram/main...

(Injection in LaTeX math tags)

tempodox 1 year ago |

I don't get this. It shows some mangled text that looks like defaced CSS, accompanied by the error message “Extra open brace or missing close brace”. How is this content injection?

But the rescue murloc is cute.

arshxyz 1 year ago | |

They fixed the issue but for a beautiful moment in time, it looked like this: https://archive.is/LPC5O

sizzle 1 year ago | | |

Looks like my old MySpace

rvnx 1 year ago | |

GitHub just fixed the issue right now, the markdown you can see was injecting new background to the page, floating GIFs everywhere, etc.

moritzwarhier 1 year ago |

Saw this last night (in Europe), was posted with a different image

https://news.ycombinator.com/item?id=40614571

but that one of course stopped working too

working snapshot (mildly nsfw):

https://web.archive.org/web/20240607215223/https://github.co...

there's another one from 2 hours earlier but that misses the cool rotating cube.

_lvbh 1 year ago |

Does this still work? Opened in Safari and don’t see anything out of place

rawling 1 year ago | |

Gone for me now in Android Chrome.

I get this in what looks like an error box

> Extra open brace or missing close brace

lawgimenez 1 year ago | | |

Not anymore on Firefox.

a1o 1 year ago | |

You need to look into the webarchive linked above as it was fixed already

mmsc 1 year ago |

Other than I love Samy, are many real-world examples of XSS being exploited for massive takeover of some service? I can't say I remember any news of a "website/service totally taken over due to XSS."

rebane2001 1 year ago | |

Powerful XSS vulnerabilities are found all the time, but they usually doesn't break the news because they aren't wormed. Samy was a worm, spreading from user to user exponentially, hence it being a very loud attack with news about it.

shakna 1 year ago | |

XSS tends to be the first step in a chain of exploits. There are examples of using it for account takeovers, but XSS being the first step, usually means it doesn't get called out directly. The particular chain sequence gets a name, and that is what gets put out in media responses.

mmsc 1 year ago | | |

Yes, finding some PoC for account takeover or something that involves XSS is cool and whatnot, but I'm asking whether these theoretical chain of exploits have ever actually been documented as being exploited to a significant degree.

kevindamm 1 year ago | | |

You have to look a little further back into mid-2000s to see larger impact XSS attacks, but each FAANG has had to recover from them. I'm on mobile right now but I'll look for some examples later.

What most companies realize early on is that you can't guarantee you'll prevent an XSS from slipping through. But, having a good template engine that sanitizes all strings automatically is good enough preventative measure, and putting all user-submitted content on a different subdomain or domain (like usercontent[dot]company[dot]com) with browser same-origin policy and perhaps CORS rules, will be enough to keep the impact contained. From there, just about everything else can be categorized as user error.

thomas34298 1 year ago | | |

I'd say a strict Content Security Policy (at least script-src 'self' WITHOUT unsafe directives) is even more important to keep the impact contained, so you'd have to put your scripts into separate files - as opposed to using inline scripts. It obviously won't help against "HTML injection" in general, but will shield your users from malicious scripts as long as you make sure that an attacker can't just upload scripts on the permitted origin(s).

thomas34298 1 year ago | | |

Here is an example: https://www.wordfence.com/blog/2020/05/nearly-a-million-wp-s...

That is what happens if you are the WP admin and think that you don't need to update your plugins because "it's just XSS, nothing major".

syntheticcorp 1 year ago | |

It’s pretty infrequent outside of target attacks. Most recent is probably the roundcube XSS CVE-2023-43770 that was actively exploited as 0day by a threat actor last year.

LASR 1 year ago |

So this opened in my GitHub iOS app at first and I was confused.

whamlastxmas 1 year ago |

Shame that either GitHub doesn’t have a bug bounty, or their program isn’t good enough to entice people to use it

richbell 1 year ago | |

https://hackerone.com/github

$600 for a low seems pretty good to me.

noname120 1 year ago | |

Neither is correct.

janmo 1 year ago |

Funny at first, but this could have been exploited maliciously by let's displaying a message telling the user he has been disconnected and redirecting him to a phishing page.

_flux 1 year ago | |

If this was purely a CSS injection—as I understand it was—then I don't think it would be possible to redirect on any technical level the user anywhere (e.g. by providing a link).

But telling user to do something would still be on the table.

rwalle 1 year ago | |

That's the point, isn't it?

1023bytes 1 year ago |

Looks like this has been patched

dvh 1 year ago |

Well done