How To Access Any Forked GitHub Repositories Data

Mental Outlaw
Mental Outlaw
44,713
0
Published 2024-07-26
In this video I discuss a GitHub attack vector that can let anyone access data from deleted or private Github Repos.

Read the blog post about this Cross Fork Object Reference bug on truffle security
trufflesecurity.com/blog/anyone-can-access-deleted…

My merch is available at
based.win/

Subscribe to me on Odysee.com
odysee.com/@AlphaNerd:8

₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿

Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436

Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV

Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079

Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz
All Comments (21)
  • @t0m0b0nes
    The title seems to be a bit overexaggaerated, it is not ANY private/deleted repo but it must be a private/deleted fork of a still existing public repo
  • @davidt01
    Basically, forks are not clones. Forks are like some kind of top-level branches above each repo branch.
  • @gwky
    Microsoft be like “we brought recall to GitHub to enhance the user experience” or some variation of Julian Smith’s “I made this for you!”
  • @James2210
    This is just Git. If you push your API key to a repository, it's on the Internet forever.
  • @leofun01
    It's not a bug. It's normal behavior, as expected. All hashes are public, even if your repo is private.
  • @papakamirneron2514
    Quite a few bots in this comment section, why though? Doesn’t sound like any Mental Outlaw viewer would fall for them and I haven’t seen them around previously…😊
  • @piked86
    So does that mean I can get into the yuzu repo?
  • @anonanon6596
    It might be just in my head but you sound more well articulated than usual in this video.
  • @zedev444
    Oh boy something good finally, my YT has been in a drought this week
  • @blackpiller3777
    If the repo was created as private and remains private how this "bug" will occur?
  • @jabrowski_
    Mental ur the goat. Have a great weekend. Watched all the way through
  • @webgtx
    You can alternatively mirror your github repos on gitlab, codeberg, gitea, or even self-hosted instances. So you don't have to ditch all of the cool github CI/CD features
  • @polarzxo1530
    every time 11 huffs fine, 12 huffs poopman come i
  • @marsovac
    Secrets are usually not commits in the repo (and never should be) but a setting on organization level. Devs using Github do not need access to the key but the name of the key that somebody set as secret in the organization to reference it in the build and integration process. And for their local use they can use another development only key, which if committed can be easily revoked. I understand that this feature loads the gun with which dumb devs can shoot themselves in the foot, but I don't think Microsoft is to blame if that happens.