How To Access Private and Deleted Github Repositories Data
ฝัง
- เผยแพร่เมื่อ 6 ก.ย. 2024
- In this video I discuss a GitHub attack vector that can let anyone access data from deleted or private Github Repos.
Read the blog post about this Cross Fork Object Reference bug on truffle security
trufflesecurit...
My merch is available at
based.win/
Subscribe to me on Odysee.com
odysee.com/@Al...
₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿
Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436
Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV
Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079
Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF
![ตีสิบเดย์ [FULL] | นางเอกหมอลำเงินล้าน "อุ๋งอิ๋ง เพชรบ้านแพง" & ไฮโซสาวสุดฮอต "ลิลลี่ เหงียน"](http://i.ytimg.com/vi/jPxQS_EgrJ4/mqdefault.jpg)
![[TH] 2024 PMSL SEA Finals D1 | Fall | ยิงต้องโหด ให้เหมือนโกรธกันมาก่อน](http://i.ytimg.com/vi/OnTdfGySmds/mqdefault.jpg)
![POLYCAT - ข้อความรูปยิ้ม [Music Video]](http://i.ytimg.com/vi/lBhIgPGCgbI/mqdefault.jpg)
The title seems to be a bit overexaggaerated, it is not ANY private/deleted repo but it must be a private/deleted fork of a still existing public repo
looks like it's been changed
Wow, this was fast! 👍👍
It's complete clickbait. You can't make a private fork of a public repo for that very reason. So the issue is, you made a public fork of a public repo, made a bad commit that you now can't completely purge from the data shared between repos. Well, who's fault is that?
@@xl0xl0xl0 Yes exactly. But another caveat is if you originally have the repo private, then make it public, any internal forks of the repo before it was made public are still accessible publically. But that's really no different than accessing the commit history, since that's just how git works. Also, even if you never sync your fork with the upstream, the commits of the fork are still accessible from the root (but again, that should kind of be expected when you think about it).
@@davidt01 are you sure? I don't think you can make a repo private if it has public forks. Edit: read it the other way around.
Basically, forks are not clones. Forks are like some kind of top-level branches above each repo branch.
So, if the original repo is modified then my forked repo will also be modified?
@@MsSoldadoRasono it's like a copy of the original repo.
@@MsSoldadoRaso No, just like a commit is not automatically applied to every branch. You can merge any updates to the original repo into the forked repo though
Microsoft be like “we brought recall to GitHub to enhance the user experience” or some variation of Julian Smith’s “I made this for you!”
Give him the Malk, Josh
@@Jinnyfir, inside voices please
@@joshuan. Sorry, dad... my white friends ...
This is just Git. If you push your API key to a repository, it's on the Internet forever.
Doesn't generate the same outrage bait if you don't mention Microsoft.
I cast force push delete commit
@@Kermit2k This is just Microsoft® Git. If you push your API key to a repository, it's on the Internet forever.
@@toooeseven that is just a commit reversing that commit. I'm not even sure if the stuff like filter-repo gets the kill for real
Wrong. BFG cleaner will do the job. This is a problem with forking, a GitHub feature, not a Git feature.
I use arch btw.
femboy
I use artix, btw.
@@Skelterbane69runit?
@@Skelterbane69 you must think you are so much better huh? well I got news for you. you are a flippin nerd!
I use mint, btw
Hacked the algorithm
It's not a bug. It's normal behavior, as expected. All hashes are public, even if your repo is private.
It's not, a private repo is private, but data is shared between forks - for that reason you can't make a private fork of a public repo and vice versa.
@@xl0xl0xl0 is right, commits are not public but their hashes are the same across repo's
I mean they could make it to where if your repo is private and then you fork it, you lose commit history. That would kinda make the fork kinda useless but whatever
@@xl0xl0xl0 serious software companies should be self hosting their repos.
@@penguin1714 Never ever tamper with git history that has already been shown publicly.
Even if it seems to have benefits, you will cause fire and flames among anyone using that code.
thats.. just how git works...
No, that's how GitHub works.
Git works like this because it's not designed for this. And GitHub is too lazy to fix it
You mean GitHub. Git is more of a open source version control too.
@@Contractor48 nah this is how git works
Ngl he started yapping so I zoned out a few minutes in, but from what I've heard this isn't a bug. Every SE that's ever used Git would tell you that's basically what Git is all about.
Not sure why he mentions API keys at all, pushing API keys to Git/GitHub is bad practice and is only done by incompetent companies/developers, so this is not a concern at all.
@@jp46614 Because that's what the original article mentions. It's actually pretty common for people to fork a repo and then add their own secrets. But the scary part is deleting the fork doesn't delete the commits in that fork. Yes, it's not a bug, it's just how git and Github works, but a lot of people aren't aware of this.
Quite a few bots in this comment section, why though? Doesn’t sound like any Mental Outlaw viewer would fall for them and I haven’t seen them around previously…😊
well, It's literally bots, they post in a blink, not like commenting takes them some time or anything
also you'd be surprised by MOs reach, plenty of less tech-literate people from 3rd world countries watch his videos where applicable
I don't think they are researching a ton before they unleash the bots. They probably automatically target videos on topic they choose with enough number of views.
Also, anyone who thinks he would never fall for X, opens himself to fall for X.
@@xxXXuser69420XXxx yeah I am from a 3rd world country and I am here to BECOME tech-literate
You're mistaking low effort comments for AI. Easy mistake to make.
@@xxXXuser69420XXxxpretentious i see
Isn't this well-known? I thought everyone knew that forks had the same visibility as the parent repo.
I guess it's surprising to people that deleting the fork doesn't delete the commits. But really, it's no different than branches I guess.
It was for me a known fact since a guy made some shady commit in a fork of linux source tree and commiting it in his repo in Linus Tornvalds name, as such by using the same URL trick you could think that Linus made a commit implemeting a backdoor.
That's even why they added the warning about the commit not being from the repository.
@@davidt01 but that's the whole reasoning behind git to keep a history of everything. The video could be as simple as if you leak your private keys the only solution is to change your keys. End of video. But that doesn't generate the same level of engagement.
@@Kermit2k Right, but it was surprising to most people because they thought their forks were like clones, and that deleting would remove the data.
Consider how many Javascript "devs" out in the world use github, do you think they know how git works? Heck most devs don't even know how git works. No one should be surprised that your stuff is going to be leaked if it's on the internet. The cloud and all SaaS is just someone else's computer.
So does that mean I can get into the yuzu repo?
Lol my exact thought before I opened the vid
Yeah but you can also just fork one of the hundreds of forks and save yourself from the headache of finding commit hashes
isn't zuyu still online and continuing from where yuzu left off? (legit don't know, not a nintendo guy so I don't use those emus)
I switched to ryujinx, for obvious reasons and it's actually way better, imo.
Way more games that can be ran and they also run much smoother.
Calm down guys. I pulled it from the AUR after the court decision. It was there for a little while. It's not really hard to find if you look. I was making a joke.
Mentos Outlaw
Secrets are usually not commits in the repo (and never should be) but a setting on organization level.
Devs using Github do not need access to the key but the name of the key that somebody set as secret in the organization to reference it in the build and integration process. And for their local use they can use another development only key, which if committed can be easily revoked.
I understand that this feature loads the gun with which dumb devs can shoot themselves in the foot, but I don't think Microsoft is to blame if that happens.
6:30 it doesnt work for private commits, right?
If the repo was created as private and remains private how this "bug" will occur?
that's no github bug, it about git and it's still not a bug. i don't know git internals well but there are a few things about commits.
first, under no circumstances should anyone commit secrets like API keys or passwords. that's no different whatever source control you use maybe except an internal one.
i've read that once you push a commit to github it's not possible to delete it. you can delete commits but they will still be in github servers. or so i've read. (turns out that is false. check replies)
think 5 times very carefully when you are working with git and secrets.
Github itself has a doc teaching how to erase secrets (rewriting commit history,modifying blobs and force pushing)
If i remember correctly the last step is to contact GitHub and ask for a specific commit to be purged from their servers. I wonder if this would actually delete the commit/blob globally for all the forks, or only for the repo you specifically asked
@@sutirk it seems they can't delete those from forks. from docs:
If the commit that introduced the sensitive data exists in any forks, it will continue to be accessible there. You will need to coordinate with the owners of the forks, asking them to remove the sensitive data or delete the fork entirely.
Nobody pushes anything of value to github anymore since they used all that code to train copilot
bruh as if anyone cared, maybe organizations but every single dev is still on gh with the schizos on gitlab
@@xxXXuser69420XXxx plz pull something new, try to build it fingers crossed that it works. There has been a new phenomenon where ppl publish coding books with coded partially generated by LLMs which doesn't work. IMO the snake started eating it's own tail.
@@xxXXuser69420XXxx as for orgs, everyone has a private repo behind a VPN and an admin that locks ppl out once they are out of the project
@@trailblazingfiveso where are top devs pushing their work to now?
@@trailblazingfive yep, when I noticed Gemini Pro replies were super long, I decided to "teach myself rust" by having it write a program/index for an book then writing the "academic level rust" book itself... a couple lessons in and a few programs after Hello World, the code was completely useless.
Same thing when I tried to learn Gradio, it kept writing 150 lines for a shared password protected hello world, I then read Gradio's docs and getting a shared, protected helloworld gradio app was literally like 4 lines of code lol
If you commit any sensitive data like keys you should create new ones and make sure existing ones no longer work. That is just industry best practice. Is this "never delete" policy good? Maybe not, but you still have a way to protect yourself from this particular issue.
I think this really actually is by design not just for gh.. I once tried uploading all my backups of videos on facebook on a burner account so I can watch them anytime, including some of the anime I wanted to watch just to see what would happen. Though the anime would be taken down eventually due to copyright, I made a copy of the autogenerated URLs beforehand on a spreadsheet (I also intended to share them with friends lol) and I found I could still watch them only on that burner account. I think big companies never really delete anything on their servers for any potential lawsuits they might encounter in the future, and so they just make it inaccessible but all the data is still there on their servers. However the content should not be accessible to just anyone with the hash. They need to patch that lol
Copy and paste is such an advanced black hat hacking tool
Fr
Till those pesky sites interfere with no right click features, really messes the nefarious vibe.
You can alternatively mirror your github repos on gitlab, codeberg, gitea, or even self-hosted instances. So you don't have to ditch all of the cool github CI/CD features
The same issue happens on other version control system products.
Oh boy something good finally, my YT has been in a drought this week
Mental ur the goat. Have a great weekend. Watched all the way through
This is why I host my own gitea server for anything sensitive
Now, I need to scan data hoarder for a copy of banned github projects that have been recovered. I think there were a few youtube plug-ins in this category.
It might be just in my head but you sound more well articulated than usual in this video.
in git, where you are the only party who has access to you repo, this is indeed a feature and works as intended (until the commit gets gc'd), but on github, this is an issue.
this is why i told my old company they will need to change their secret api key if they ever make the repo public, not just delete it,
If you're a developer who hasn't yet learned you don't check secrets into a source control repo, ANY source control repo, you deserve exactly what will inevitably happen to you.
7:45 This should not be the standard for open source. It's already to open enough. It feels more jank now. XD
I dont even know what is forked github whatever 🔥🔥🔥🔥🔥🔥
what the heck is a gigawatt?
Huh, I thought I noticed this on enterprise a few months ago where I could see commits of deleted branches. I figured it’s just zombie commits hanging out server side, but the fact this is an issue with privacy and not considered a bug is worrisome.
video Suggestion: a quick fossil tutorial that a child could follow. there really ought to be a guide that's simple, straightforward and fairly comprehensive. But I was shocked at the utter lack of such media. if you made a good 3 part series from zero to hero, that would probably become the #1 fossil resource in the anglosphere. no exaggeration.
Greetings to all the devs out there from 🇵🇱 Poland, a chad EU 🇪🇺 member country!
Too poor
nice joke bro.
💀💀💀💀💀💀💀💀💀💀💀💀💀
Me enjoying real tech freedom from Bangladesh because of having no established digital laws at all
Keep that border near Belarus secure. Keep em out
It’s an attack vector, but apparently this behavior is described in GitHub’s documentation: Pull requests / Collaborate with pull requests / Working with forks
Mental Outlaw is a Subtext-Fu Master!
algorithm. Kenny, have your chickens been behaving better than our giant software corporations?
I think that deletion of GitHub repo should delete all commits. This is just bad design. I really hope GitHub will reconsider.
Deleting the repo just does the exact same thing as deleting all branches and tags for git, meaning just removing references to commits
To remove those commit completely you would have to run git gc which has to detect dangling reference in the entire tree, and it would have to do that every time a push is not just a cannot be solved by a fast-forward (deleting branch, rebasing, git push --force)
You can test this behaviour on your computer and is sometimes use with git reflog to be able to get back a lost commit.
As for why it does append with forks it's simple fork are in the same repo than the original project (more efficient in space) just having their own references for branches and tags makes a fork just some cloning references and makes things like pull request way more easy to handles as it is the same as a merge/rebase in the same repository.
Thank you, I actually really needed this
Your videos are always so informative and interesting! I am going to push a kernel-crashing bug to production! ☺️💻
are you bot?
You can report this stuff without clickbaiting or sensationalizing it. You can't spread awareness if you get tuned out.
if your repo is always private then it is safe as far as I understand
imagine the possibilities
GitHub on the internet way back machine 👌
Yuzus back bois
every time 11 huffs fine, 12 huffs poopman come i
so is it possible to get the original tornado cash repo ??
is tornado cash repo a fork?
Day 95 of hackking the algorithm
Wtf is that thumbnail
A Turk
most definitely not a bug, it's a feature.. yeah
A lawyer
This is by design, that’s why they warn you.
Gitea works very well
kenny haccs
Microsoft as per usual labels bugs as "features" just to cheap out on bug bounties. they're truly one of the multi-billion tech companies of all time.
Mental Outlaw killing it with all the interesting new content these days
It's more hard to undestand a running system using old and extensive data than it is to break the current one security... any big enterpreise piece of application with 3 years old code is missing to many updates to be much useful at all.
Your company took 2 years to change from server side authentication to client side authentication, and you catch the 1 year of code updates... how great!
Oooh, some glowing gate keeping dragons be here. Bad opsec for a first post, but I don't mind. All Hail The Outlaw!
Wild West approach I like it
My computer programming college professor flew a helicopter in Vietnam and was one of the people who created the internet in the Army. The only way we could get extra credit in his class was to tell him what the jet stream speed was in the morning 😂 My brother went to school for it repair and had to take ethics..I asked my professor why we didn't take ethics and he said we need to think unethically so we can put up with hackers. My youngest son is 11 and writes his own code. I bought him a nice PC. He builds raspberry pie stuff. Sullivan recovering data if you turn your computer off I'm going to charge you whatever I want over a million dollars to get that stuff back if you don't turn your computer off just leave it alone Frozen I'm not going to charge you that much money to get your data back. If its frize thats good, we can go back. I just learned how to track down data stuck in limbo trying to get uploaded to the cloud but can't be found except for up there in the buffer banks 😂 my teacher taught our class to be dangerous 🙏 Wisconistan 🏴☠️🦅
too many suspicious women here.
you mean corporate sysadmins? it's a high calibre channel.
Holy crap, talk about sweeping the dirt under the github rug! 😂
It's a bit more than 16^4, it's 64^4 combinaison to brute force a sha1 hash of 4 characters long. At 16 the collision risk would be too high.
Where do you get this 64 from?
I knew about this for ages, i remember downloading a minecraft bot that got deleted on github with it
I will never not imagine a colorful tortilla every time Kenny says "the Tie dye Tor tee (lla)"
🤦
I'm just waiting for the day some rogue intern runs git gc --aggressive on all the repos on github.
as always, thank you
typical microsoft
Typical people that think you can "erase" leaked sensitive information. That's how the internet works, once it's out the box, it will never get back in the box. The only way to address key leaks is to change the keys. What's the point of erasing credentials? You gonna keep reusing them after leaking them in the hopes nobody saw?
How else would microsoft leak the google search algorithm if they didn't have this "feature"
_How many time we have to teach you old man_
This is such a non-issue. I use SHA1 hashes as access keys without further authentication. Because if you know that key, you either already have the file and its full contents, or you have been brute forcing for about a million years.
Assuming everything is secured by HTTPS, no MITM will ever have access to the commit hash, but the two parties that already know the contents of the commit.
waaay too complicated. i just print it out and post it on the public noticeboard in the town square. that way, privacy is truly a non issue.
@@bashisobsolete.pythonismyn6321 Please only speak after consulting your brain.
In my opinion companies are trying everything to not to pay bug bounties.
What the fork, GitHub?
Serious question, what happens if someone uploads like CP or revenge corn to a fork on Github?
Not trying to ragebait, but genuinely curious, it's impossible to delete? That shit will stay on their servers forever?
(I know you can't upload huge videos to Github, but images do work).
Billion dollar hype train AI projects are not opensource on github anyway.
If you have keys in your repo you kind of deserve this.
Another day another reason to selfhost your stuff
Does GitLab inherit this flaw?
Exactly, I'm curious now
How do you know so much about computer science ? I wanna be like you
Kinda ur fault if u hardcode api keys
Git gud?
Instead of deleting what if you rewrote history? I suppose this is similarly forked and you'd have quite the same problem 🤔
Well it would be literally impossible to just delete the key in this case...
None of this is a vuln in GH. These are Git features coupled with user error. You’re very wrong. GH doesn’t own git. This can all be done on the command line in Git. Microsoft doesn’t own Git. It was made by Linus Torvold and is open source. Ironic since you think open source confers special security features and don’t know how to use Git. People making these mistakes should not be employed and given access to sensitive source code. That is the only solution, unless of course you think commit history in Git should be obfuscated/destroyed to make up for idiot employees leaking secrets.
There is nothing in git called 'fork'. Forking is very much a GitHub thing. Ironic how you don't know this basic thing and start spewing nonsense and downplaying risks like you're some know-it-all.
Github's fork gives an illusion that you're copying a repo, which will make users think whatever they do in their own fork isn't accessible from somewhere else.
Now reading the docs carefully suggests it's more akin to creating a new branch rather than forking, but again, it's not immediately obvious.
And everyone knows not to put api keys in source control but mistakes can happen. There should be a way to undo it/privatise it (yes, the most effective way would be to cycle the api key itself, but github should provide a way to protect it just in case).
If you're so much about not making mistakes and mistakes can only be made by "idiots", I hope you never use your undo button, because you shouldn't even have made a mistake to begin with (cause you're not an idiot are you?).
An attack vector is an attack vector and downplaying it as skill-issue has only ever caused harm.
Making things (somewhat) foolproof goes a long in reducing attack vectors.
This is why we have password validation forcing users not just give 1234 as password and call it a day.
Please educate yourself on git and cyber security before downplaying risks.
@@Dipj01 the user made a bad commit and pushed it remotely. What do you suggest GH do about it? Commit history is a native Git feature and I don’t care what labels GH adds to repos. His commit, if left long enough, is probably in web archives as well. Should GH purge that for you too? Bottom line is you can’t push a bad commit remote, especially to a public repository. This is chiefly a skill issue.
Cant wait for it to get patched as soon as this video takes off.
Honest question: why gitea? is something wrong with gitlab?
Are you gonna talk about the secure boot key leak?
wait even for the private one, wouldn't it have the same issue. i think that's how git works?
Likes the video
No new information lol. I’m just curious if force pushes actually delete data or also don’t
if someone knows the hashes force push doesnt help.
@@mxalltheway isn't the main problem then that github doesn't do garbage collection?
I host a number of git repos on my Raspberry Pi.
I hate microsoft just as much as the next arch bro, but this is intended git behaviour
*Repository's
if it was a feature there should be an option to turn it off
we're lacking options in this world
You def wouldn't be making a billion dollar program if you forget to gitignore any env file holding keys 💀(8:00 you mention it)
liked and commented
2018?! bro i thought it was couple of years ago...
who commits their secrets to git? no one should ever do that.
i tell them to my women friends. open secret is best secret.
To bad it's so hard these days to get MXR
A bit of a clickbait… It’s very niche and kinda not realistic to do harm in any normal situation
so if your not forking all is good yeah?
Good all the good shit always gets deleted.
Nice