18

This might be a basic question, but I’ve been wondering: what happens if the GitHub account of a well-known open-source project is compromised? Could malicious code be added, or an unauthorized update be pushed to the software?

Are there any security measures or best practices in place to prevent such incidents? How do open-source projects typically ensure the integrity and security of their repositories?

I’m a big fan of open-source software and deeply respect the developers who dedicate their time to improving it. My question comes from a place of concern for the security of these valuable projects.

Improve this question

2 Answers 2

Reset to default
45

The problem is not particular to GitHub. It's not even particular to the issue of compromised credentials. Recently, we've had the xz backdoor, where a malicious entity slowly wormed themselves into a position of privilege in a project and inserted malicious code. We've had typosquatting and the use of names that sound very much like real, non-malicious modules used to publish malicious python code via standard repositories. We've had any number of thumping vulnerabilities introduced in major pieces of code by completely-authorised developers, without any malfeasance required at all.

The problem isn't limited to free software, either; the SolarWinds exploit used compromised credentials to insert malicious code into an entirely-proprietary software package. In the proprietary world also, fully-authorised developers are capable of doing it to themselves by accident; the CrowdStrike outage of 2024 involved no compromise, but still resulted in "the largest outage in the history of information technology".

So the problem is very real, but it's not specific to free software, it's not specific to compromised credentials, and it's definitely not specific to GitHub. It's not a simple problem, and it doesn't have a single, simple solution. It is, instead, an ongoing battle, in which many weapons may be deployed. These include, but are not limited to, constant vigilance, distribution of privilege, the increased use of schemes that allow one person to verify the correctness of another's work (checksums, digital signatures, reproducible builds), the slow decline of simple username/password authentication in favour of 2FA schemes, the massive increase in SSL deployment spearheaded by Let's Encrypt, and increased awareness of the importance of industrial support for fundamental free-software projects. All of these, and more, have their place in helping us all stay safe.

Edit: I also want to make the point that although the free-software development model may appear more vulnerable to malice (and I'm not sure I accept that that's anything more than an appearance, see above) I think it also really helps deal with things when they go wrong. The xz backdoor didn't make it onto any production systems, which I attribute to two principal characteristics of free software. Firstly, the distribution of labour between code authors, code packagers, and distributors; unlike with CrowdStrike, there's no one person or body whose approval can flush code from the dev systems to the desktops. The malicious code in xz took time to flow through the pipeline, which (fortunately for us all) enabled someone to catch it. Secondly, the availability of source enables anyone with clue to investigate. Andres Freund noticed anomalies in liblzma, and immediately had at his fingertips all the information he needed to dig down into the issue. He didn't have to ask some company's permission to access source under NDA, or worse, call some security hotline, tell them his concerns, and hope they'd be looked into sometime this century.

Improve this answer
3
  • 10
    +1, when I read the OP's question I immediately thought of xz as well. It "nicely" (if you can call it that) demonstrates both the fears underlying the OP's question, but also the fact that those fears are totally unrelated to GitHub or even open source. Heck, the core of this attack wasn't even related to technology at all, this was a multi-year campaign of psychological manipulation targeting an overworked, burnt out maintainer suffering from mental fatigue and depression. Commented Jan 26 at 16:43
  • @MadHatter Thank you for your response. The xz backdoor incident is what prompted my question. You’ve explained the situation and current measures well. With tools like Notepad++, which are widely trusted and developer-friendly, we often update without a second thought. However, after reading about the xz backdoor, I’ve realized the importance of staying vigilant and doing a quick search to check for any known issues before updating. Commented Jan 27 at 16:45
  • Comments have been moved to chat; please do not continue the discussion here. Before posting a comment below this one, please review the purposes of comments. Comments that do not request clarification or suggest improvements usually belong as an answer, on Open Source Meta, or in Open Source Chat. Comments continuing discussion may be removed. Commented Jan 28 at 2:03
4

While the MadHatter has given a comprehensive answer, there is a specific feature of git that allows a measure of security even if someone has received unauthorized write access to the repository: commit signing.

This way, all commits in the git repository show cryptographic proof who authored them (as setting the author and committer to someone else is trivial otherwise).
(as mentioned below, keep in mind that this is only another layer of security, as GPG keys can also be stolen and the passphrase e.g. guessed or keylogged)

Gitlab even has a handy UI feature, which notifies you if the commit was signed, e.g. commit verified

Improve this answer
6
  • 4
    This is not quite proof of who authored the commit: it is proof that whoever authored the commit had access to the private key associated with the account, which they could have if they've obtained access to the account holder's machine, or the account holder was otherwise careless with their private key. Commented Jan 28 at 15:24
  • @PhilipKendall: exactly, it's a second layer of security, in addition to the git repo security. Should this answer be amended, or is it ok as-is ? Commented Jan 28 at 15:40
  • 5
    I personally think it's worth being precise about the distinction between "person X did this" and "someone with access to person X's private key did this". I also appreciate that is a layer of subtlety further than "what happens if a Github account is compromised", but (as MadHatter's answer points out) the threat that should be being considered here isn't limited to Github account compromise. tl;dr: it's up to you, it's your answer :) Commented Jan 28 at 16:11
  • 3
    The ‘verified’ tag on GitHub does not do exactly what you think it does. It does indeed show up for signed commits. But it also shows up on commits you make through the GitHub web UI, which means that ‘verified’ commits can still come from a compromised GitHub account. Commented Jan 28 at 17:18
  • @AustinHemmelgarn: that's some unexpected UI, thanks Commented Jan 29 at 7:49

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.