Coinbase

We know a bit more about the GitHub Actions supply chain attack from last month. Palo Alto’s Unit 42 has been leading the charge on untangling this attack, and they’ve just released an update to their coverage. The conclusion is that Coinbase was the initial target of the attack, with the open source agentkit package first (unsuccessfully) attacked. This attack chain started with pull_request_target in the spotbugs/sonar-findbugs repository.

The pull_request_target hook is exceptionally useful in dealing with pull requests for a GitHub repository. The workflow here is that the project defines a set of Continuous Integration (CI) tests in the repository, and when someone opens a new Pull Request (PR), those CI tests run automatically. Now there’s an obvious potential problem, and Github thought of it and fixed it a long time ago. The GitHub Actions are defined right in the repository, and letting any pull request run arbitrary actions is a recipe for disaster. So GitHub always uses actions as they are defined in the repository itself, ignoring any incoming changes in the PR. So pull_request_target is safe now, right? Yes, with some really big caveats.

The simplest security problem is that many projects have build scripts in the repository, and those are not considered part of GitHub Actions by GitHub. So include malicious code in such a build script, make it a PR that runs automatically, and you have access to internal elements like organization and repository secrets and access tokens. The most effective mitigation against this is to require approval before running workflows on incoming PRs.

So back to the story. The spotbugs/sonar-findbugs repository had this vulnerability, and an attacker used it to export secrets from a GitHub Actions run. One of those secrets happened to be a Personal Access Token (PAT) belonging to a spotbugs maintainer. That PAT was used to invite a throwaway account, [jurkaofavak], into the main spotbugs repository. Two minutes after being added, the [jurkaofavak] account created a new branch in spotbugs/spotbugs, and deleted it about a second later. This branch triggered yet another malicious CI run, now with arbitrary Github Actions access rather than just access through a build script. This run leaked yet another Personal Access Token, belonging to a maintainer that worked on both the spotbugs and reviewdog projects. Continue reading “This Week In Security: Target Coinbase, Leaking Call Records, And Microsoft Hotpatching” →

It seems that Bitcoin is all over the news nowadays, but the Bitcoin Bot is probably the first robot that will dance for Bitcoins.

[Ryan] at HeatSync Labs in Mesa, AZ, is a fan of the cryptocurrency, and decided to build something to accept it. He discovered that Coinbase, a popular hosted Bitcoin wallet service, has a callback API. This causes Coinbase to fetch a specified URL any time a wallet receives a transaction, and provides information on the transaction in the request. A Python script handles these requests and updates a running count of the BTC balance sent to the robot’s wallet.

On the hardware side, an Arduino with an Ethernet Shield checks the balance. If it has changed, it calls the dance function and the luau girl dances.

The robot sits in the window of the hackerspace, so anyone passing by can read about Bitcoin and make a donation. The source code is on Github, and a video follows after the break.

Continue reading “Will Dance For Bitcoin” →