In the last few days I got the pleasure to be in touch with the github security guys.
I must admit I am really impressed about how security is important for Github and how much serious they take it (they embrace and leverage all the new security features supported by modern browsers, Content Security Policy included ).
Moreover they are really fast on reply and really friendly so kudos to them.
From the other hand I was a bit surprised on how the "handled" a couple of issues I did report.
Now the fact I did not get a bounty doesn't play any role on my opinion (apparently both issues I reported were well known by them).
The thing that does surprise me instead is the fact that even that those are well known issues are not yet fixed (if ever).
But no more words just fact...
The first issue I reported is the following.
Now I do appreciate that
a) nosniff is present
b) the content type is text/plain
Now we are really talking about stealing cookies on a really sensitive domain right ? (always IMHO) :)
But apparently this is not enough and that output will continue to be not sanatized.
So this brings us to issue #2
Step to reproduce
- Create a new public repo e.g. (https://github.com/asanso/
- add a configuration config.txt file and put username and password
- commit and push
- verify anybody can see https://github.com/asanso/
- verify anybody can see https://raw.githubusercontent.
- change the permission of https://github.com/asanso/test to private
- verify nobody apart asanso can see https://github.com/asanso/
- verify nobody apart asanso can see https://raw.githubusercontent.
Create html and make the victim asanso visit the page
This extrafiliates the credentials to an attacker...
Now, true, this will work only in Firefox since doesn't have any support for nosniff .
But isn't Firefox still one of the most used browser or am I missing something :) ?
Moreover Firefox will probably fix this issue sooner or later but what until then ?
Said that, I just (without any irony) want to reiterate : "Great stuff Github security" (they are seriously good!!)