Content Injection Attack on GitHub (opens in new tab)

(github.com)

158 pointsLapz2y ago49 comments

49 comments

42 comments · 14 top-level

wokwokwok2y ago· 6 in thread

You can see in the commit log from on https://github.com/younesbram/younesbram/commit/4282312e4ec3... where the first PoC commit is pushed up.

The thing I find interesting is that this wasn't a random discovered; like, you look at the first commit in the sequence and you'll see.

> \ce{$\unicode[goombafont; color:red; pointer-events: none; ...

ie. This isn't some random chance discovery.

This is someone looking to use a specific exploit with the ```math tag, already certain that there's some way of doing it.

How strange.

rawling2y ago

This isn't the source of it. I came across this on Twitter last night and traced it back a bit to try to share "the original" with my colleagues. The earliest I found was https://x.com/cloud11665/status/1799136093071163396 which I think is slightly earlier than the second commit on this repo.

jraph2y ago

I don't think you can really trust commit history to deduce this:

- the history can be rewritten, with push --force. The author might have iterated by force pushing one commit

- The author could have discovered it by change in a private repository, or another repository that they deleted

wokwokwok2y ago

Honestly, I doubt the author is playing the “deep game” of looking like they’re just messing around while secretly being a secret agent and (for some fathomless reason) making it look like it with an artificial git history.

So in general, yes, but in this case, I doubt it. I’m pretty sure this git history is a real and true log of them dicking about trying to get the exploit they saw on twitter working.

…but, I guess, you could be right. /shrug

1 more reply

mesmertech2y ago

that was the first iteration of CSS injection that was working, that github then patched. The new one is the new iteration that still works

it was found by a bunch of anime-pfps on twitter and went "viral"

DaiPlusPlus2y ago

> it was found by a bunch of anime-pfps on twitter

I think you mean “infosec professional”

pindab0ter2y ago

What does one's pfp matter, if what they found holds water?

2 more replies

dayjaby2y ago· 5 in thread

Explanation for this with a better link: https://news.ycombinator.com/item?id=40615804

sva_2y ago

That goes right onto my 'convoluted explanations that make things more complicated than they really are' stack.

epr2y ago

Feynman's Razor

alexvitkov2y ago

To understand monads, imagine you're in the middle of an infinite ocean. The ocean represents possibilities, and each wave represents a choice. Monads are invisible fish that you can't see but guide your boat. You don't know where you're going, and the fish don't either. Sometimes, they lead you to islands of coconuts, but other times they take you to whirlpools. You have a magical net that catches these fish, but the net has holes, so not all fish stay. Monads are these fish that might or might not help you navigate the infinite ocean, depending on whether they feel like it.

SebFender2y ago

ok that lego thing is far out... not that great but I guess it helps people understand - lol

op00to2y ago

It did not help me. A Lego castle with … a secret magical tunnel? Just explain things, no need to besmirch Lego in this case.

mmsc2y ago· 4 in thread

Other than I love Samy, are many real-world examples of XSS being exploited for massive takeover of some service? I can't say I remember any news of a "website/service totally taken over due to XSS."

rebane20012y ago

Powerful XSS vulnerabilities are found all the time, but they usually doesn't break the news because they aren't wormed. Samy was a worm, spreading from user to user exponentially, hence it being a very loud attack with news about it.

shakna2y ago

XSS tends to be the first step in a chain of exploits. There are examples of using it for account takeovers, but XSS being the first step, usually means it doesn't get called out directly. The particular chain sequence gets a name, and that is what gets put out in media responses.

mmsc2y ago

Yes, finding some PoC for account takeover or something that involves XSS is cool and whatnot, but I'm asking whether these theoretical chain of exploits have ever actually been documented as being exploited to a significant degree.

2 more replies

syntheticcorp2y ago

It’s pretty infrequent outside of target attacks. Most recent is probably the roundcube XSS CVE-2023-43770 that was actively exploited as 0day by a threat actor last year.

fscaramuzza2y ago· 3 in thread

GH just fixed it, but there's a snapshot from few hours ago: https://web.archive.org/web/20240608060046/https://github.co...

pheatherlite2y ago

That's an impressive turnaround.

tyzoid2y ago

It's still working for me on the live site

noman-land2y ago

Brilliant

tempodox2y ago· 3 in thread

I don't get this. It shows some mangled text that looks like defaced CSS, accompanied by the error message “Extra open brace or missing close brace”. How is this content injection?

But the rescue murloc is cute.

arshxyz2y ago

They fixed the issue but for a beautiful moment in time, it looked like this: https://archive.is/LPC5O

sizzle2y ago

Looks like my old MySpace

rvnx2y ago

GitHub just fixed the issue right now, the markdown you can see was injecting new background to the page, floating GIFs everywhere, etc.

_lvbh2y ago· 3 in thread

Does this still work? Opened in Safari and don’t see anything out of place

rawling2y ago

Gone for me now in Android Chrome.

I get this in what looks like an error box

> Extra open brace or missing close brace

lawgimenez2y ago

Not anymore on Firefox.

a1o2y ago

You need to look into the webarchive linked above as it was fixed already

whamlastxmas2y ago· 2 in thread

Shame that either GitHub doesn’t have a bug bounty, or their program isn’t good enough to entice people to use it

richbell2y ago

https://hackerone.com/github

$600 for a low seems pretty good to me.

noname1202y ago

Neither is correct.

janmo2y ago· 2 in thread

Funny at first, but this could have been exploited maliciously by let's displaying a message telling the user he has been disconnected and redirecting him to a phishing page.

_flux2y ago

If this was purely a CSS injection—as I understand it was—then I don't think it would be possible to redirect on any technical level the user anywhere (e.g. by providing a link).

But telling user to do something would still be on the table.

rwalle2y ago

That's the point, isn't it?

pandaxtc2y ago

I think the \unicode CSS injection used here was reported to the MathJax library a few months ago - https://github.com/mathjax/MathJax/issues/3129

rvnx2y ago

Source-code: https://raw.githubusercontent.com/younesbram/younesbram/main...

(Injection in LaTeX math tags)

moritzwarhier2y ago

Saw this last night (in Europe), was posted with a different image

https://news.ycombinator.com/item?id=40614571

but that one of course stopped working too

working snapshot (mildly nsfw):

https://web.archive.org/web/20240607215223/https://github.co...

there's another one from 2 hours earlier but that misses the cool rotating cube.

LASR2y ago

So this opened in my GitHub iOS app at first and I was confused.

1023bytes2y ago

Looks like this has been patched

dvh2y ago

Well done

j / k navigate · click thread line to collapse

49 comments

42 comments · 14 top-level

wokwokwok2y ago· 6 in thread

You can see in the commit log from on https://github.com/younesbram/younesbram/commit/4282312e4ec3... where the first PoC commit is pushed up.

The thing I find interesting is that this wasn't a random discovered; like, you look at the first commit in the sequence and you'll see.

> \ce{$\unicode[goombafont; color:red; pointer-events: none; ...

ie. This isn't some random chance discovery.

This is someone looking to use a specific exploit with the ```math tag, already certain that there's some way of doing it.

How strange.

rawling2y ago

jraph2y ago

I don't think you can really trust commit history to deduce this:

- the history can be rewritten, with push --force. The author might have iterated by force pushing one commit

- The author could have discovered it by change in a private repository, or another repository that they deleted

wokwokwok2y ago

So in general, yes, but in this case, I doubt it. I’m pretty sure this git history is a real and true log of them dicking about trying to get the exploit they saw on twitter working.

…but, I guess, you could be right. /shrug

1 more reply

mesmertech2y ago

that was the first iteration of CSS injection that was working, that github then patched. The new one is the new iteration that still works

it was found by a bunch of anime-pfps on twitter and went "viral"

DaiPlusPlus2y ago

> it was found by a bunch of anime-pfps on twitter

I think you mean “infosec professional”

pindab0ter2y ago

What does one's pfp matter, if what they found holds water?

2 more replies

dayjaby2y ago· 5 in thread

Explanation for this with a better link: https://news.ycombinator.com/item?id=40615804

sva_2y ago

That goes right onto my 'convoluted explanations that make things more complicated than they really are' stack.

epr2y ago

Feynman's Razor

alexvitkov2y ago

SebFender2y ago

ok that lego thing is far out... not that great but I guess it helps people understand - lol

op00to2y ago

It did not help me. A Lego castle with … a secret magical tunnel? Just explain things, no need to besmirch Lego in this case.

mmsc2y ago· 4 in thread

Other than I love Samy, are many real-world examples of XSS being exploited for massive takeover of some service? I can't say I remember any news of a "website/service totally taken over due to XSS."

rebane20012y ago

shakna2y ago

mmsc2y ago

2 more replies

syntheticcorp2y ago

It’s pretty infrequent outside of target attacks. Most recent is probably the roundcube XSS CVE-2023-43770 that was actively exploited as 0day by a threat actor last year.

fscaramuzza2y ago· 3 in thread

GH just fixed it, but there's a snapshot from few hours ago: https://web.archive.org/web/20240608060046/https://github.co...

pheatherlite2y ago

That's an impressive turnaround.

tyzoid2y ago

It's still working for me on the live site

noman-land2y ago

Brilliant

tempodox2y ago· 3 in thread

I don't get this. It shows some mangled text that looks like defaced CSS, accompanied by the error message “Extra open brace or missing close brace”. How is this content injection?

But the rescue murloc is cute.

arshxyz2y ago

They fixed the issue but for a beautiful moment in time, it looked like this: https://archive.is/LPC5O

sizzle2y ago

Looks like my old MySpace

rvnx2y ago

GitHub just fixed the issue right now, the markdown you can see was injecting new background to the page, floating GIFs everywhere, etc.

_lvbh2y ago· 3 in thread

Does this still work? Opened in Safari and don’t see anything out of place

rawling2y ago

Gone for me now in Android Chrome.

I get this in what looks like an error box

> Extra open brace or missing close brace

lawgimenez2y ago

Not anymore on Firefox.

a1o2y ago

You need to look into the webarchive linked above as it was fixed already

whamlastxmas2y ago· 2 in thread

Shame that either GitHub doesn’t have a bug bounty, or their program isn’t good enough to entice people to use it

richbell2y ago

https://hackerone.com/github

$600 for a low seems pretty good to me.

noname1202y ago

Neither is correct.

janmo2y ago· 2 in thread

Funny at first, but this could have been exploited maliciously by let's displaying a message telling the user he has been disconnected and redirecting him to a phishing page.

_flux2y ago

If this was purely a CSS injection—as I understand it was—then I don't think it would be possible to redirect on any technical level the user anywhere (e.g. by providing a link).

But telling user to do something would still be on the table.

rwalle2y ago

That's the point, isn't it?

pandaxtc2y ago

I think the \unicode CSS injection used here was reported to the MathJax library a few months ago - https://github.com/mathjax/MathJax/issues/3129

rvnx2y ago

Source-code: https://raw.githubusercontent.com/younesbram/younesbram/main...

(Injection in LaTeX math tags)

moritzwarhier2y ago

Saw this last night (in Europe), was posted with a different image

https://news.ycombinator.com/item?id=40614571

but that one of course stopped working too