Abusing a GitHub Codespaces Feature For Malware Delivery

GitHub Codespaces, initially in preview for specific users, became widely available for free in November 2022. This cloud-based integrated development environment (IDE) allows developers and organizations to customize projects via configuring dev container files, easing some previous pain points in project development.

We investigated the services offered by this cloud IDE and found that one of its features for code development and collaboration – sharing forwarded ports publicly – can be abused by malicious actors to create a malware file server using a legitimate GitHub account. In the process, these abused environments will not be flagged as malicious or suspicious even as it serves malicious content (such as scripts, malware, and ransomware, among others), and organizations may consider these events as benign or false positives.

According the GitHub’s website, they have over 94 million developers including companies like DuoLingo, Vanta, and GitHub themselves. And today, each developer can create at least two codespace instances for free. Considering this popular platform and the potential extensive use of Codespaces for ease in building, developers are strongly advised to properly secure their respective projects by applying threat modelling and testing.

GitHub Codespaces allows developers to create, edit, and run code directly from their web browser. It establishes a container-based environment in a pre-configured virtual machine (VM) with all the necessary tools and dependencies for JavaScript, Python, and Ruby projects. This means developers can get started with a new project quickly and without the need to set up their own local IDE, which usually takes hours and can delay their contributions and productivity One of the main benefits of this service includes allowing developers to collaborate on code in real-time while providing a consistent development environment, like an online pair-programming approach. This means developers can work on the same project from any device without worrying about differences in local setups.

Among its features, GitHub Codespaces allows developers to share forwarded ports from the VM. Developers can share a forwarded port privately within the organization or publicly. A private port is only accessible to organization members via its URL, while anyone with the URL can view a publicly shared port without requiring authentication. This feature is helpful for developers who would like to see a preview of how an application would look like to an end user. At the same time, since GitHub Codespaces is now available for all GitHub users, this feature can be abused by cybercriminals and threat actors already on the platform.

If the application port is shared privately, browser cookies are used and required for authentication. However, if ports are shared with the public (that is, without authentication or authentication context), attackers can abuse this feature to host malicious content such as scripts and malware samples. Moreover, the barriers of costs in creating a Codespaces environment are now lower compared to creating a cloud service provider (CSP) account where you need a credit card to become a subscriber, be it in Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and many others.

To validate our hypothesis of threat modeling abuse scenario, we ran a Python-based HTTP server on port 8080, forwarded and exposed the port publicly. In the process, we easily found the URL and the absence of cookies for authentication.

Read More HERE