Cybersecurity company Checkmarx said it has discovered that hackers can effectively hijack GitHub’s star ratings of open-source products to trick developers into downloading malicious code.
In a blog post, Checkmarx’s Tzachi “Zack” Zornstein and Aviad Gershon warn that the entire cyber-scam, which they’re calling “StarJacking,” ultimately relies upon the credibility that many people attach to star-rating systems for various products. The more popular a product, some people reason, the better the product.
In this case, it’s developers trusting the number of GitHub stars given to mostly open-source code packages that some people might be interested in using and downloading.
As explained on the Checkmarx blog: “Package managers often display the GitHub (star) statistics on the package’s web page to make things easy for these developers. As it turns out, the statistics displayed by the package managers do not go through any validation process. It can easily be falsified to mislead developers because of how this information is acquired.”
The blog post adds: “This situation enables StarJacking —a technique for making a package look more popular than it really is by taking advantage of the non-existing validation of the relation between the package and the GitHub repository.”
In their Checkmarx blog post, Zornstein and Gershon said they looked at three popular open-source packages on websites and found a major flaw with the process of linking to a GitHub repository.
“The problem is that there is no validation of the connection between the package and the repository,” Zornstein and Gershon wrote. “This means that anyone can link any repository, as popular as they would like, to their package which will result in bogus statistics to be displayed on the website and trick developers.”
In their blog conclusion, Zornstein and Gershon wrote that “StarJacking is another way for an attacker to increase the chances for their attack to succeed and infect as many targets as possible.”
They added: “This technique is intended to gain more credibility for the package by making it look popular and highlighting how many other developers use it. Under the cover of this credibility, the attacker may try to slip in any malicious functionalities they choose.”
In an interview with CRN US, Zornstein, head of software supply chain security at Checkmarx, stressed that GitHub, which is owned by Microsoft, is not responsible for the security problem that researchers have found. GitHub and Microsoft could not be reached for comment.
Instead, Zornstein placed the blame squarely on package managers who he said are not taking adequate precautions to verify information when marketing and touting packages on their websites.
Zornstein said his research did uncover actual malicious code using the “StarJacking” attack technique. It appears the attackers were looking to steal sensitive corporate information, he said.
Though he could not say for sure if any systems were infected as a result of the “StarJacking” attacks, Zornstein did note that one code package analysed by Checkmarx was downloaded tens of thousands of times.
The targeted vendors in question have been informed of the StarJacking incidents and those individual site problems have been fixed, Zornstein said.
Checkmarx’s Zornstein said the star-system for rating tech products is still sound. But he said developers relying on star ratings need to be more careful.
“What we’re saying is you should double-check things,” he said. “You should not automatically assume that the stars [at a site] are rightly theirs. It can be very misleading.”