A flaw in GitHub’s namespace retirement feature could have allowed attackers to potentially access another user’s repository.
Coined ‘repojacking’ by researchers from Checkmarx, the technique could have enabled malicious actors to bypass protections against the takeover of “retired” GitHub namespaces.
GitHub repositories have a unique URL which is nested under the user account that created it. The linked URL and username together are called a ‘namespace’.
When a user chooses to rename their GitHub account, the platform will redirect their old URLs to the new URL.
However, this feature was found to be vulnerable to “a logical flaw that breaks the original redirect”.
