The Google Project Zero team (focused on finding security bugs) yesterday made public a bug found on GitHub considered “high severity”. Since late July without solving the problem, GitHub asked for more time; but the answer came short and thick.
“There is no way to extend the deadline further, as this is already the 104th day (90 days + extension of the term by 14 days) without a solution; the problem will be announced today ”.
According to the GPZ engineer who reported the problem, Felix Wilhelm, the flaw is in a feature called workflow commands, which allows automating actions related to a workflow: “This feature is extremely vulnerable to the injection of commands and fundamentally unsafe, since it would allow a hacker to execute code remotely on a vulnerable machine. ”
One hundred days without solution
GitHub is a popular version control system and source code repository maintained by Microsoft and used by developers and companies around the world, which makes the bug even more serious: “I analyzed GitHub repositories and, among the most popular, almost all projects with somewhat complex GitHub actions are vulnerable to this class of bug. ”
The platform was notified of the vulnerability on July 21 and, as is the GPZ standard, 90 days (until October 18) were given to fix the problem; after that time, the fault is disclosed. Github then deactivated the vulnerable commands and sent an alert to users, saying that the bug was of “moderate” severity and recommending that workflows be updated.
Two days before the deadline, GPZ gave Github another 14 days to disable all commands; last Sunday (1), the platform asked for two more days to “notify customers about the problem and set a deadline for correction”. GPZ refused and publicized the failure.