this post was submitted on 26 Jul 2024
214 points (95.0% liked)

Technology

57917 readers
8382 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s
[email protected]
[email protected]
[email protected]
enu
[email protected]
L4s
214
Data from deleted GitHub repos may not really be deleted (www.theregister.com)
submitted 1 month ago by [email protected] to c/technology
29 comments fedilink hide all child comments
 

Researchers at Truffle Security have found, or arguably rediscovered, that data from deleted GitHub repositories (public or private) and from deleted copies (forks) of repositories isn't necessarily deleted.

Joe Leon, a security researcher with the outfit, said in an advisory on Wednesday that being able to access deleted repo data – such as APIs keys – represents a security risk. And he proposed a new term to describe the alleged vulnerability: Cross Fork Object Reference (CFOR).

"A CFOR vulnerability occurs when one repository fork can access sensitive data from another fork (including data from private and deleted forks)," Leon explained.

For example, the firm showed how one can fork a repository, commit data to it, delete the fork, and then access the supposedly deleted commit data via the original repository.

The researchers also created a repo, forked it, and showed how data not synced with the fork continues to be accessible through the fork after the original repo is deleted. You can watch that particular demo.

you are viewing a single comment's thread
view the rest of the comments
[–] AdamEatsAss 53 points 1 month ago (9 children)

Oh god. That means all the spaghetti code that I ever wrote is still out there.

[–] [email protected] 21 points 1 month ago (4 children)

Yup. Along with the code from huge organizations. I always thought it was funny that people put their code online, blindly trusting some random company that got gobbled up by Microsoft.

[–] [email protected] 14 points 1 month ago (1 children)

Along with every private key that was accidentally committed.

[–] [email protected] 11 points 1 month ago (1 children)

Ha ha, way way back in the day when I didn’t understand how keys worked, I sent a private key to another developer when they asked for my public. They were kind enough to educate me.

[–] [email protected] -3 points 1 month ago

As a lifelong troll, I would've just generated a new pub key and made a bunch of commits as you. Then two days later, I would tell you what's up once you had time to process the confusion.

load more comments (2 replies)
load more comments (6 replies)