https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens
A security vulnerability in GitHub Actions has exposed authentication tokens for multiple high-profile open-source projects, including those from Google, Microsoft, AWS, and Red Hat.
These exposed tokens could allow attackers to gain unauthorized access to private repositories, steal source code, or inject malicious code into projects.
The issue lies in how GitHub Actions handles artifacts, files generated during the build process and stored alongside the code. Insecure configurations and user errors can lead to these artifacts containing sensitive information, including GitHub tokens used for authentication within the workflow.
Researchers from Palo Alto Networks’ Unit 42 discovered this vulnerability, which they call “ArtiPACKED.” They identified several contributing factors:
- Default settings: By default, the commonly used “actions/checkout” action stores the GitHub token within the local Git directory (.git). Uploading this entire directory as an artifact exposes the token.
- Misconfiguration: Uploading artifacts containing other sensitive information like logs or build outputs can also expose credentials stored in environment variables.
- Lack of security checks: Scripts within the workflow might inadvertently log environment variables containing tokens.
Unfortunately, GitHub has chosen not to address this vulnerability itself, leaving the responsibility on developers to secure their workflows. Here’s what you need to know:
- Affected projects: Unit 42 identified 14 large open-source projects that leaked tokens, including projects from Google, Microsoft, AWS, and Red Hat.
- Exploitation: Attackers could exploit these leaks by downloading artifacts and searching for exposed tokens before they expire.
- Mitigation: Developers should avoid uploading sensitive directories, sanitize logs, and review CI/CD workflows to ensure credentials are not persisted unnecessarily. Additionally, using least privilege for access tokens can minimize damage if leaked.
This incident highlights the importance of security best practices within CI/CD pipelines and the potential risks associated with default configurations. Developers are urged to review their workflows and implement appropriate mitigation strategies.