Github Intentionally Lets You Read Deleted & Private Commits

Рет қаралды 10,343

Күн бұрын

jh.live/snyk || Try Snyk for free and find vulnerabilities in your code and applications! ➡ jh.live/snyk
Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricet...
Learn Coding: jh.live/codecr...
Don't listen to other "influencer" VPN crap -- host YOUR OWN: jh.live/openvpn
WATCH MORE:
Dark Web & Cybercrime Investigations: • Tracking Cybercrime on...
Malware & Hacker Tradecraft: • Malware Analysis & Thr...
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥KZbin ALGORITHM ➡ Like, Comment, & Subscribe!

Пікірлер: 50

@PwnySlaystation01 Күн бұрын

I wonder what the implications to the DMCA this has. Example: I fork a major public repo and commit copyrighted code/writing to my forked copy... Say I commit the first Harry Potter novel.. My repo gets hit with a DMCA takedown request, so it gets deleted (because legally, it has to be). Now I can just post the hash and anyone can visit it? I ASSUME github can manually delete the commit "for real" in a case like this, but I'm curious. It'd have to be removed from the parent repo right? And other forks?

@amunak_ Күн бұрын

When a repo gets hit with a DMCA it disappears all its forks too iirc.

@FranLegon Күн бұрын

That's a nice exploit you're suggesting

@wizix9877 Күн бұрын

was thinking the same thing but with distributing files, or kill switch in case of c2

@asksearchknock Күн бұрын

Github security is totally forked 😂

@fruitloop831 Күн бұрын

😂 I know right, good content, shite info IMO

@tpevers1048 Күн бұрын

Na ahh they are fixing it stop telling this to everyone😢

@fruitloop831 Күн бұрын

@@tpevers1048 fixing? this has been easy to do for years the only reason they "fixing" it is cos of the attention it is getting. You really think it's going to be fixed you're kidding ya self

@takennmc Күн бұрын

you could also clone the repo and filter any commit that is normally public so it doesn't hit the api always

@kaslmineer7999 Күн бұрын

3:36: [discord notfication sound]

@luketurner314 23 сағат бұрын

I legit thought it was my discord, but since I couldn't find any evidence there I replayed that bit of the video to confirm. lol

@CrittingOut 7 сағат бұрын

3 of them this video lmfao

@TheMAZZTer Күн бұрын

The next question is does this work for DMCAed repos?

@bradley144 Күн бұрын

If you know the commit hash, then yes.

@logiciananimal Күн бұрын

GitHub could be much more proactive with the rate limiting in various ways, thus lowering the risk of discovery. This is also a "can I find a way to steal *that* car" vs. "can I find a way to steal *a* car" situation, which is context dependent.

@guiorgy 12 сағат бұрын

It's a cat and mouse game. If there's a rate limit on each ip, just get a couple of systems, maybe rent them, and increase the scanning speed that way

@HEXiT_ Күн бұрын

this is common. you delete something and it doesnt get deleted. just your access to it is removed. meta and google both do the same too :(

@ParabolicLabs Күн бұрын

I always recommend hosting your own git server with SSH keys for auth specifically for private repos.

@MyRandomness987 Күн бұрын

3 total discord sounds heard lol. Love your videos!

@austinmurphy9074 22 сағат бұрын

you gotta turn off your discord notification sounds when you record 😆

@MD101-ssh Күн бұрын

dude, that's crazy.

@xanzut Сағат бұрын

So if you somehow found a sensitive information from some company in github, you can fork the repo, and still can access the information even the original repo is deleted 😂their IT security would cry for this

@mingxi1055 Күн бұрын

concerning, indeed.

@austinmurphy9074 22 сағат бұрын

so if someone forks a public repo then makes it private, are those commits accessible from the public upstream one? 🤔

@icebice Күн бұрын

SHA1 isn't actually long so brute forcing a repo with X amounts of proxies/VPN is still viable and there are a lot of VPN and proxies available on the internet 😅 Yeah it'll be slow but it will in the end successfully gain access to viable data.

@alexanderw4714 Күн бұрын

Is this related to github only? What's about Gitlab?

@jitxhere Күн бұрын

Wow this is atleast P1 if not P0 level thing

@Randy-nb6fw Күн бұрын

would it be possible to use google dorking to find these or would they not really be picked up??

@Randy-nb6fw Күн бұрын

just tried but could only find people talking about related issues, POC code and people talking about it lol. maybe somebody else might have better luck

@planixxx Күн бұрын

Why not count from 0 to 65535 in hexadecimal it will be between 0x0000 FFFF which will include the whole range. am i missing something here ?

@Darius1013 Күн бұрын

This is exactly what Itertools.Product() does, but instead: 0x0000 0x0001 ... 0xfff you will get (if used with JH sequence): 0xaaaa 0xaaab ... 0xaaa1 0xaaa2 .. 0xfff0 .. 0xffff if you want 0000 to ffff, initial chars = '0123456789abcdef'.. Ok, performance wise maybe hex+1 is faster, but it's so minimal difference.. Slowest operation here is request, and if you want flexibility (like you know initial hash for sure not have 0 in it) Itertools is way better

@Darius1013 Күн бұрын

Dam, you made me look.. on 4 chars there is no difference, results in both cases comes in like 0.005s.. But if we increase it to 6 chars, hex+1 is ~20% faster, but again we are talking like 2.5s vs 2s for generation (these results using online compiler, so on real pc they probably are even lower)

@SmilerRyanYT Күн бұрын

So just to make sure i'm understanding this correctly, if someone forks a public repo for themselves, makes it private, edits some stuff and deletes it, the original repo can still see that as long as you know the git commit hash?

@zacadoole1 Күн бұрын

I don’t think you can technically make a private fork of a public repo, they won’t let you

@SmilerRyanYT Күн бұрын

@@zacadoole1 Seems like you're right. you can only fork them publicly and can't edit them to be private once they're made so that's good to know.