Anyone Can Access Deleted and Private Repository Data on Github

gitlab, software development /

GitHub allows access to data from deleted and private repositories due to its repository architecture. This includes data from deleted forks and commits linked to public repositories, leading to potential exposure of sensitive information. A new term, Cross Fork Object Reference (CFOR), describes vulnerabilities where one fork can access another's sensitive data. Examples highlight that such data remains accessible even after deletion, primarily through known commit hashes. GitHub policies confirm this design, posing serious security implications for public repository users, as misuse could lead to leakage of confidential information. Key rotation is advised for secure handling of exposed secrets.

Anyone can Access Deleted and Private Repository Data on GitHub

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top