CySecurity News – Latest Information Security and Hacking Incidents
Cybersecurity researchers at Cider Security have unearthed a code review bypass threat impacting organizations that had not even enabled the recently introduced GitHub Actions feature.
To patch the loophole, Omer Gil and colleagues from security start-up Cider Security introduced multiple security mechanisms. GitHub Actions provides a mechanism to build and run software development workflows all the way from development to production systems.
The authorization bypass weaknesses make it potentially possible for either a rogue developer or threat actors to self-approve pull requests, opening the door to planting malicious software into the tributaries that feed production software, researchers explained in a blog post on Medium.
Threat actors are only required to exploit a single user account before launching an attack, which relies on editing the permissions key in the workflow file. Last year in October, Cider Security was cleared to reveal its stance on the security loophole, weeks before GitHub patched the bug. Additionally, GitHub has introduced a new policy setting that allows system administrators to control whether GitHub Act
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: