Unauthorized access to organization secrets in GitHub

We discussed this vulnerability during Episode 195 on 13 March 2023

An information disclosure in GitHub through the Security Advisories feature. GitHub allows maintainers to draft public advisories, and in doing so you can create a temporary private fork to collaborate on and review fixes without disclosing them publicly. Around November of last year, GitHub added the ability for organizations to allow external users to report vulns to their public repositories. In these cases, the reporter is added as a collaborator to the vuln report and gets some special permissions to comment on the advisory and such. When a private fork is made, the reporter is also automatically added as a collaborator to the repo with limited access.

However, the access wasn’t limited enough, as they could still access the codespace feature (GitHub’s cloud-hosted dev environment for collaboration). As part of that, codespace secrets is used for storing API keys, SSH keys, passwords, tokens, etc. A malicious user can utilize their access via the private fork to access codespace and exfiltrate those secrets from the environment via env.