Back to Blog
Resources

Security Breach in Stripe Repo: A Deep Dive into the "Pwn Request" Vulnerability

The Vulnerability in Stripe’s GitHub Actions Workflow Shows Why Securing CI/CD Pipelines Is Essential
Shubham Malik

October 14, 2024

Table of Contents

A security researcher exploited a 'pwn request' vulnerability in a public Stripe repository, allowing them to merge unauthorized commits into the main branch and exfiltrate the workflow’s GitHub token to a researcher-controlled endpoint. This breach underscores the severe risks that insecure GitHub Actions workflows pose to repositories, including unauthorized code changes and CI/CD credential leaks.

The Vulnerability Explained

Multiple workflows in the repository were vulnerable to a classic Pwn Request vulnerability. This is one of the vulnerable workflows.

1. The workflow ran on a risky trigger - pull_request_target

Risky workflow trigger
Risky workflow trigger

2. The vulnerable job checked out code using an explicit ref of the pull request

Workflow checks out code using an explicit ref
Workflow checks out code using an explicit ref

The pull_request_target event trigger is one of several risky triggers because it runs with higher privileges, including access to sensitive repository secrets like the GitHub token. When workflows check out code from an explicit ref that originates from an untrusted fork, the combination becomes exploitable. This is particularly dangerous when workflows fail to implement proper security controls, such as limiting token scope and using strict branch protection rules.

The Attack Breakdown

The attack unfolded in a few key steps. First, the researcher forked the Stripe repository and submitted a pull request (PR) containing malicious code. The repository’s GitHub Actions workflow, triggered by the pull_request_target event, allowed the researcher’s code to run in the context of the repository, giving access to the repository’s GitHub token. The researcher then exploited this access by exporting the GitHub token. With the token in hand, the researcher was able to automatically merge their PR into the main branch, bypassing typical review processes. In a subsequent PR, the researcher further demonstrated the exploit by exfiltrating the GitHub token to a remote server using wget.

1. This is the pull request from the researcher that was merged. https://github.com/stripe-samples/accept-a-payment/pull/2719  

Researcher's merged pull request
Researcher's merged pull request

2. The exploit code exports the GITHUB_TOKEN from git config

Exploit code exporting GITHUB_TOKEN
Exploit code exporting GITHUB_TOKEN

3. And uses the token to merge the pull request into the main branch

Exported GITHUB_TOKEN being used to merge PR
Exported GITHUB_TOKEN being used to merge PR

Another pull request was created to exfiltrate the GitHub token to the researcher-controlled endpoint.  

https://github.com/stripe-samples/accept-a-payment/pull/2723/files  

1. This is exploit pull request that exfiltrates the GitHub token

Exploit pull request to exfiltrate GITHUB_TOKEN
Exploit pull request to exfiltrate GITHUB_TOKEN

2. It was exfiltrated using wget to researcher controlled endpoint

Researcher controlled exfiltration endpoint
Researcher controlled exfiltration endpoint

Also read: Analysis of Backdoored XZ Utils Build Process with Harden-Runner

Implications and Risks

This incident reveals several critical security risks that apply not only to Stripe's repository but to any repository using GitHub Actions:

1. Unauthorized Code Execution: Malicious actors can execute arbitrary code in the repository’s CI/CD pipeline, potentially injecting backdoors or altering the software being built.

2. CI/CD Credentials Theft: The exposure of GitHub tokens or other CI/CD secrets grants attackers access to package registries, cloud environments, and the code repository.

3. Unauthorized Merges: Automated merging of PRs using stolen tokens allows attackers to bypass manual review processes, leading to significant security risks and potential supply chain compromises.

protect your ci/cd pipelines

Preventing Future Attacks

StepSecurity offers essential protection for GitHub Actions workflows with two key features:

1. Vulnerability Scanning: By scanning workflows across an organization, StepSecurity can identify workflows that are vulnerable to pwn request-style attacks and flag risky configurations like pull_request_target before they lead to compromise.

2. Credential Exfiltration Prevention: StepSecurity’s Harden-Runner adds network egress control and runtime security, preventing sensitive data like GitHub tokens from being exfiltrated by malicious code. This feature has proven effective, detecting exfiltration attempts in projects like Google’s open-source Flank - https://www.stepsecurity.io/case-studies/flank

Summary

This incident highlights the importance of adopting secure practices when configuring GitHub Actions workflows. These workflows are a critical part of modern development pipelines, but without proper safeguards, they can become an avenue for attacks like the pwn request vulnerability. Implementing strict workflow configurations, enhancing token security, and adhering to robust branch protection policies are vital steps in securing any CI/CD pipeline.

Blog

Explore Related Posts