The $2500 bug: Remote Code Execution via Supply Chain Attack
1 min read
Summary
On the HackerOne platform, ethical hacker Naveen MKT has detailed a critical RCE vulnerability via supply chain attack on a private programme named ‘redacted’.
The issue was caused by multiple repositories instructing users to clone dependencies from an abandoned GitHub account, which MKT was able to claim and subsequently upload malicious code to.
This was subsequently executed during the build and deployment process, leading to the execution of remote code on the victim’s machine.
MKT identified the same vulnerability in a separate repository, which led to the collection of sensitive data, including username, operating system details, current working directory and IP address.
Although MKT demonstrated the issue for two projects, it affected multiple projects across different organisations using the compromised GitHub account.
The vulnerability was reported to the organisation, awarded a $2,500 bounty, and resolved after ownership of the GitHub account was transferred back.