Are there any additional mitigations folks are using for this? This issue is the only reason we can’t turn classic PATs off entirely.
Short lifetime mandatory reauth to enterprise SSO seems to be the best available, but it’s inconvenient for the single Classic PAT we actually need.
echelon · 2h ago
Someone near a computer that is feeling generous should buy up all the typo'd domain names and hand them over to Microsoft.
Microsoft should rename the registry. This is a horrible name. I know I've typo'd it before.
jsheard · 2h ago
Microsoft is paying top dollar for MarkMonitor, aren't they supposed to proactively register obvious typos so this kind of thing doesn't happen to their clients?
VoidWhisperer · 2h ago
My guess is that MarkMonitor is mainly used for their brand-relevant domains (microsoft, office 365, github (main site), etc), as opposed to one that a small subset of a small subset of their users of one service will use - I would imagine that microsoft likely owns hundreds of domain names and doesn't pay MarkMonitor to monitor every single one
Atreiden · 2h ago
Fairly compelling attack vector because it took several readings for me to even see the problem with the domain.
JdeBP · 1h ago
You and many others. Including people who retry multiple times, and even reboot their machines.
Took the article pointing out that the c and r were transposed for me to even notice there was a problem!
SoftTalker · 2h ago
Yep this is the sort of typo error I make probably 10 times a day.
echelon · 2h ago
The problem here is GitHub's terrible domain name.
The container registry has a horrible name.
Gigachad · 2h ago
Why does it seem companies hate subdomains so much? Why is this not just registary.github.com or something? It's like they are trying to get people to fall for phishing by creating so many random domains.
dcrazy · 1h ago
It’s best security practice to host user-generated content on a separate domain to opt into browsers’ cross-domain security policies. Hence ghcr.io, githubusercontent.com, fbimg.com, etc.
Interestingly, the GitHub doco says outright that it superseded docker.pkg.github.com. ; so it was a conscious choice to go with this domain naming scheme instead of that one.
I've noticed this too. Why does amazon have aboutamazon.com and Google have developers.googleblog.com? They literally have their own .google TLD but still choose this weird domain.
Same with local governments. They love something really random like <countyname>proptaxpayment.org instead of treasurer.<countyname>.gov. It's exactly the kind of domain you are told to watch out for, but actually legit.
zx8080 · 2h ago
Probably, it's cool, and honored inside an org to operate a separate domain service vs go ask for a permission for a subdomain to another team.
GitHub should a have tool internally to create bulk and send it as a fix
lathiat · 44m ago
That's a fairly impressively sized list.
gruez · 57m ago
whois says it's registered by dynadot, so it's probably worth contacting their abuse email: abuse@dynadot.com
a1o · 2h ago
Damn, this can pick a typo from a CI job and do mean things.
TZubiri · 1h ago
Reminder not to use goofy TLDs, being cute is not worth it when compared to security. There's no guarantees that the process for taking down a malicious domain will be as smooth as a .com.
I'd rather deal with US verisign rather than the British Indian Ocean territory or colombia or anguila
bragr · 38m ago
The .io TLD is administered by Afilias which is an American corporation.
engcoach · 2h ago
Is the danger here token replay? It's using Bearer tokens, so it's not sending a password over:
Does OAuth reuse tokens across domains? If not, doesn't this just mean it is requesting an auth token for ghrc (the "fake" domain) but it can't access any auth tokens for ghcr (the real domain)?
bmitch3020 · 2h ago
Blog author (and OCI maintainer) here. The request to get a bearer token sends the password or PAT using the basic auth header, base64 encoded, but otherwise clear-text. That's the request the www-authenticate header is triggering. Once the token is received, the registry uses that to verify access, and that eventually expires. But the attacker isn't getting the token, they are requesting the credentials that would be used to acquire a bearer auth token.
[1] https://docs.github.com/en/packages/working-with-a-github-pa...
Edit: most relevant issues?
https://github.com/orgs/community/discussions/38467
https://github.com/github/roadmap/issues/558
Short lifetime mandatory reauth to enterprise SSO seems to be the best available, but it’s inconvenient for the single Classic PAT we actually need.
Microsoft should rename the registry. This is a horrible name. I know I've typo'd it before.
* https://stackoverflow.com/a/66985424/340790 (Spot the answerer's account name!)
* https://forums.docker.com/t/docker-unable-to-push-to-ghrc-io...
The container registry has a horrible name.
https://www.reddit.com/r/webdev/comments/lg9xnm/why_do_some_...
* https://docs.github.com/en/packages/working-with-a-github-pa...
Same with local governments. They love something really random like <countyname>proptaxpayment.org instead of treasurer.<countyname>.gov. It's exactly the kind of domain you are told to watch out for, but actually legit.
I'd rather deal with US verisign rather than the British Indian Ocean territory or colombia or anguila
<https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Aut...>
Threats section for Bearer tokens: <https://datatracker.ietf.org/doc/html/rfc6750#section-5.2>
Does OAuth reuse tokens across domains? If not, doesn't this just mean it is requesting an auth token for ghrc (the "fake" domain) but it can't access any auth tokens for ghcr (the real domain)?