&TLDR; social hacks > exploits. Keep an eye on your repository and org permissions. Don't take sweets from strangers. (Thread)

Last night we got notified that git repos and content of an entire org got mutilated.

Of course we had to take the possibility of a security exploit into account and contacted the Gitea developer team immediately. For immediate mitigation, we closed new user registration temporarily.

Show thread

A deep investigation of post-mortem database dumps and backup dumps revealed that users with valid permissions had given other users owner status, who then mutilated content, deleted the org, then someone created a username with the same name as the previous org with misleading content, so that external links now pointed to the new content.

This implies the rogue user had gained access to the group not by exploit, but by social engineering.

Show thread

Keep in mind: Team and repo owners can do *everything*. Including rewriting git history using force-push. And kicking out team mates.

Show thread

So, please: Keep the number of owners limited, and be sure to trust each other. Use a git-flow that does as little as needed on the "hot" repos (and think twice whether you need force-push always enabled. force-pushed changes cannot be undone with git tools unless there are backups).

Use pull requests. Easy to review, easy to manage, and only the project maintainers/owners need full access to the repo to merge them.

Show thread

@codeberg Thanks for the transparent information! I'm glad it wasn't a software security issue...

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!