"Wiz discovered a critical vulnerability in AWS CodeBuild that allowed attackers to access core AWS repositories, including the widely used JavaScript SDK. The flaw, dubbed CodeBreach, enabled stealing GitHub credentials via a regular expression filter and gaining complete control over repositories. The discovery stemmed from research into a previous supply chain attack on the Amazon Q VS Code extension. Wiz then investigated the AWS CodeBuild configurations of public repositories."
"The problem was the absence of two simple characters: the start (^) and end ($) anchors in the regex pattern. Without these anchors, a regex engine does not search for an exact match, but for a string that contains the pattern. Any GitHub user ID that was a superstring of an approved ID could therefore bypass the filter. GitHub assigns sequential numeric IDs to users. Accounts from 2008 have 5-digit IDs, while recent accounts have 9-digit IDs."
A critical vulnerability in AWS CodeBuild allowed attackers to bypass ACTOR_ID webhook filters due to unanchored regular-expression patterns. Missing start (^) and end ($) anchors permitted partial matches, so any GitHub user ID that contained an approved maintainer ID could pass the filter. GitHub issues sequential numeric IDs, creating periodic instances where a newer, longer ID contains an older ID. Attackers could rapidly register many accounts to claim such IDs and exploit webhook-triggered builds to steal credentials and take full control of repositories, including core SDKs. Standard sign-up defenses were bypassed using automated GitHub App techniques.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]