https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github
A new security vulnerability has been uncovered on GitHub that allows access to data from deleted repositories and forks. This means that sensitive information, such as API keys, can persist even after being supposedly erased.
Security researchers at Truffle Security have dubbed this issue a “Cross Fork Object Reference” (CFOR). They demonstrated how deleted code, including private data, can still be accessed through forks of the original repository. This raises serious concerns about data privacy and security.
While GitHub maintains that this is expected behaviour, critics argue that it undermines user trust and expectations about data deletion. The platform’s response has been to classify this as a “feature” rather than a vulnerability.
This discovery highlights the potential risks associated with relying solely on code-hosting platforms for data security. Organizations need to be aware of these limitations and implement additional safeguards to protect sensitive information.
As the digital landscape evolves, it’s increasingly clear that data deletion is a complex issue with far-reaching implications for individuals and businesses alike.
