* . *
  • About
  • Advertise
  • Privacy & Policy
  • Contact
Sunday, September 7, 2025
Earth-News
  • Home
  • Business
  • Entertainment
    Victor Garber on his viral “And Just Like That” toilet scene: ‘I was delighted to be doing something ridiculous’ (exclusive) – yahoo.com

    Victor Garber on his viral “And Just Like That” toilet scene: ‘I was delighted to be doing something ridiculous’ (exclusive) – yahoo.com

    Pendulum Announce Homecoming 2026 Australian Tour – yahoo.com

    Pendulum Announces Thrilling Homecoming Tour Across Australia in 2026

    ITV Studios Launches New Entertainment Label – Global Bulletin – IMDb

    ITV Studios Unveils Exciting New Entertainment Label

    TS Entertainment bringing Malibu Jack’s to former Owensboro mall – Lane Report

    TS Entertainment Launches Malibu Jack’s at Former Owensboro Mall Location

    Jenny Han Dropped a Major ‘The Summer I Turned Pretty’ Easter Egg Revealing [SPOILER] – yahoo.com

    Jenny Han Just Unveiled a Huge ‘The Summer I Turned Pretty’ Easter Egg That Changes Everything [SPOILER]

    Liam Payne’s Cousin Ross Harris Honors Late Singer With Emotional Song ‘Bones’ – yahoo.com

    Liam Payne’s Cousin Ross Harris Honors Late Singer with Emotional New Song ‘Bones

  • General
  • Health
  • News

    Cracking the Code: Why China’s Economic Challenges Aren’t Shaking Markets, Unlike America’s” – Bloomberg

    Trump’s Narrow Window to Spread the Truth About Harris

    Trump’s Narrow Window to Spread the Truth About Harris

    Israel-Gaza war live updates: Hamas leader Ismail Haniyeh assassinated in Iran, group says

    Israel-Gaza war live updates: Hamas leader Ismail Haniyeh assassinated in Iran, group says

    PAP Boss to Niger Delta Youths, Stay Away from the Protest

    PAP Boss to Niger Delta Youths, Stay Away from the Protest

    Court Restricts Protests In Lagos To Freedom, Peace Park

    Court Restricts Protests In Lagos To Freedom, Peace Park

    Fans React to Jazz Jennings’ Inspiring Weight Loss Journey

    Fans React to Jazz Jennings’ Inspiring Weight Loss Journey

    Trending Tags

    • Trump Inauguration
    • United Stated
    • White House
    • Market Stories
    • Election Results
  • Science
  • Sports
  • Technology
    Coherent Joins LLNL’s STARFIRE Diode Technology Working Group to Advance Inertial Fusion Energy – GlobeNewswire

    Coherent Partners with LLNL’s STARFIRE Team to Drive Breakthroughs in Inertial Fusion Energy

    Gene Associated With Deadly Heart Disease in Golden Retrievers Identified – Technology Networks

    Breakthrough Discovery Uncovers Gene Behind Deadly Heart Disease in Golden Retrievers

    Monkey Island LNG Picks ConocoPhillips’ Liquefaction Technology – Hart Energy

    Monkey Island LNG Selects ConocoPhillips’ Advanced Liquefaction Technology for Next-Gen Energy Solutions

    Credo Technology Group Holding Ltd. (CRDO) Surpasses Q1 Earnings and Revenue Estimates – Yahoo Finance

    Credo Technology Group Surpasses Q1 Earnings and Revenue Expectations

    The Economist is hiring a science and technology correspondent – The Economist

    Exciting Opportunity: Become Our Next Science and Technology Correspondent!

    Blockchain lender Figure Technology seeks to raise up to $526M in IPO (FIGR:Pending) – Seeking Alpha

    Blockchain Lender Figure Technology Sets Sights on $526M in Thrilling IPO Launch

    Trending Tags

    • Nintendo Switch
    • CES 2017
    • Playstation 4 Pro
    • Mark Zuckerberg
No Result
View All Result
  • Home
  • Business
  • Entertainment
    Victor Garber on his viral “And Just Like That” toilet scene: ‘I was delighted to be doing something ridiculous’ (exclusive) – yahoo.com

    Victor Garber on his viral “And Just Like That” toilet scene: ‘I was delighted to be doing something ridiculous’ (exclusive) – yahoo.com

    Pendulum Announce Homecoming 2026 Australian Tour – yahoo.com

    Pendulum Announces Thrilling Homecoming Tour Across Australia in 2026

    ITV Studios Launches New Entertainment Label – Global Bulletin – IMDb

    ITV Studios Unveils Exciting New Entertainment Label

    TS Entertainment bringing Malibu Jack’s to former Owensboro mall – Lane Report

    TS Entertainment Launches Malibu Jack’s at Former Owensboro Mall Location

    Jenny Han Dropped a Major ‘The Summer I Turned Pretty’ Easter Egg Revealing [SPOILER] – yahoo.com

    Jenny Han Just Unveiled a Huge ‘The Summer I Turned Pretty’ Easter Egg That Changes Everything [SPOILER]

    Liam Payne’s Cousin Ross Harris Honors Late Singer With Emotional Song ‘Bones’ – yahoo.com

    Liam Payne’s Cousin Ross Harris Honors Late Singer with Emotional New Song ‘Bones

  • General
  • Health
  • News

    Cracking the Code: Why China’s Economic Challenges Aren’t Shaking Markets, Unlike America’s” – Bloomberg

    Trump’s Narrow Window to Spread the Truth About Harris

    Trump’s Narrow Window to Spread the Truth About Harris

    Israel-Gaza war live updates: Hamas leader Ismail Haniyeh assassinated in Iran, group says

    Israel-Gaza war live updates: Hamas leader Ismail Haniyeh assassinated in Iran, group says

    PAP Boss to Niger Delta Youths, Stay Away from the Protest

    PAP Boss to Niger Delta Youths, Stay Away from the Protest

    Court Restricts Protests In Lagos To Freedom, Peace Park

    Court Restricts Protests In Lagos To Freedom, Peace Park

    Fans React to Jazz Jennings’ Inspiring Weight Loss Journey

    Fans React to Jazz Jennings’ Inspiring Weight Loss Journey

    Trending Tags

    • Trump Inauguration
    • United Stated
    • White House
    • Market Stories
    • Election Results
  • Science
  • Sports
  • Technology
    Coherent Joins LLNL’s STARFIRE Diode Technology Working Group to Advance Inertial Fusion Energy – GlobeNewswire

    Coherent Partners with LLNL’s STARFIRE Team to Drive Breakthroughs in Inertial Fusion Energy

    Gene Associated With Deadly Heart Disease in Golden Retrievers Identified – Technology Networks

    Breakthrough Discovery Uncovers Gene Behind Deadly Heart Disease in Golden Retrievers

    Monkey Island LNG Picks ConocoPhillips’ Liquefaction Technology – Hart Energy

    Monkey Island LNG Selects ConocoPhillips’ Advanced Liquefaction Technology for Next-Gen Energy Solutions

    Credo Technology Group Holding Ltd. (CRDO) Surpasses Q1 Earnings and Revenue Estimates – Yahoo Finance

    Credo Technology Group Surpasses Q1 Earnings and Revenue Expectations

    The Economist is hiring a science and technology correspondent – The Economist

    Exciting Opportunity: Become Our Next Science and Technology Correspondent!

    Blockchain lender Figure Technology seeks to raise up to $526M in IPO (FIGR:Pending) – Seeking Alpha

    Blockchain Lender Figure Technology Sets Sights on $526M in Thrilling IPO Launch

    Trending Tags

    • Nintendo Switch
    • CES 2017
    • Playstation 4 Pro
    • Mark Zuckerberg
No Result
View All Result
Earth-News
No Result
View All Result
Home Technology

FYI: Data from deleted GitHub repos may not actually be deleted

July 25, 2024
in Technology
FYI: Data from deleted GitHub repos may not actually be deleted
Share on FacebookShare on Twitter

Researchers at Truffle Security have found, or arguably rediscovered, that data from deleted GitHub repositories (public or private) and from deleted copies (forks) of repositories isn’t necessarily deleted.

Joe Leon, a security researcher with the outfit, said in an advisory on Wednesday that being able to access deleted repo data – such as APIs keys – represents a security risk. And he proposed a new term to describe the alleged vulnerability: Cross Fork Object Reference (CFOR).

“A CFOR vulnerability occurs when one repository fork can access sensitive data from another fork (including data from private and deleted forks),” Leon explained.

For example, the firm showed how one can fork a repository, commit data to it, delete the fork, and then access the supposedly deleted commit data via the original repository.

The researchers also created a repo, forked it, and showed how data not synced with the fork continues to be accessible through the fork after the original repo is deleted. You can watch that particular demo below.

Youtube Video

According to Leon, this scenario came up last week with the submission of a critical vulnerability report to a major technology company involving a private key for an employee GitHub account that had broad access across the organization. The key had been publicly committed to a GitHub repository. Upon learning of the blunder, the tech biz nuked the repo thinking that would take care of the leak.

“They immediately deleted the repository, but since it had been forked, I could still access the commit containing the sensitive data via a fork, despite the fork never syncing with the original ‘upstream’ repository,” Leon explained.

Leon added that after reviewing three widely forked public repos from large AI companies, Truffle Security researchers found 40 valid API keys from deleted forks.

You can fork off

Clearly this is a problem. But it’s not so much of a problem that GitHub considers CFOR a legitimate vulnerability. In fact, the Microsoft-owned code-hosting giant considers it a feature, not a bug.

When informed of the situation through its Vulnerability Disclosure Program, GitHub responded: “This is an intention design decision and is working as expected as noted in our [documentation].”

This is an intention design decision and is working as expected

This, evidentially, has been known for years. One individual claims to have notified GitHub of the vulnerability back in 2018 and received a similar response.

In a phone interview with The Register, Dylan Ayrey, co-founder and CEO of Truffle Security, explained that the issue comes down to something called a dangling commit.

“A dangling commit is a git primitive,” Ayrey explained. “It’s not a GitHub primitive. So a dangling commit can exist in any git platform – Bitbucket, GitLab, GitHub, etc. And a dangling commit is basically within a given code repository, you have a tree and that tree represents the history for that project, so all the old versions of the code that are linked together.”

A git commit captures a snapshot of a repository’s state at a specific point in time, including changes to both code and data. Each commit is uniquely identified by a cryptographic hash. While deleting a branch, for example, removes the reference to a particular commit chain, the commits themselves are not deleted from the repository’s object database.

“Those dangling commits, those are like a fundamental documented part of git itself,” said Ayrey, who explained that how git platforms deal with dangling commits is a platform decision rather than a git specification.

Bitbucket, GitLab, and GitHub, said Ayrey, have those commits even when the connection to the code tree is severed. If you have the identifier to directly access them, you can still download the associated data.

Oops. Apple relied on bad code while flaming Google Chrome’s Topics ad tech

The months and days before and after CrowdStrike’s fatal Friday

Kaspersky says Uncle Sam snubbed proposal to open up its code for third-party review

Forget security – Google’s reCAPTCHA v2 is exploiting users for profit

Ayrey said this is widely known. But there’s an adjacent issue having to do with forks – copied repositories – that’s more specific to GitHub. Forks, he explained, are not part of the git spec, so each platform has its own implementation.

Ayrey said for GitHub, dangling commits can be downloaded via a fork if you have the identifying hash, or some portion of it.

“If you have the identifier you can download them from the repository that they were originally pushed to,” he explained. “It turns out you can also download them through any fork of that repository. And it works bi-directionally. So from the parent, you can download that dangling commit from the fork and from the fork you can download that dangling commit from the parent.”

“What we found is even if you delete the parent, and the commit was pushed to the parent, that dangling commit not only still lives on, but you can download it through the child even though it was pushed to the parent, it was never pulled into the child, and the parent was deleted, you can now access that dangling commit.”

That dangling commit not only still lives on, you can download it through the child even though it was pushed to the parent

What’s more, Ayrey explained, you don’t even need the full identifying hash to access the commit. “If you know the first four characters of the identifier, GitHub will almost auto-complete the rest of the identifier for you,” he said, noting that with just sixty-five thousand possible combinations for those characters, that’s a small enough number to test all the possibilities.

Asked about the risks this presents, Ayrey said there’s a GitHub events archive that records all public GitHub actions. And he said that just as the Sunlight Foundation’s archive of tweets could be used to research public social media statements, GitHub’s event archive can be used for forensic investigation into what tech companies have been doing.

“If [tech companies] delete code, if they’re going out of their way to delete something, it doesn’t always mean anything,” he explained. “But oftentimes it means something. It could mean a key or password [was exposed]. It could mean they accidentally pushed up a machine learning data set. We’ve seen that before. Or it could mean – and this is rare – [that] attacker actually backdoored their project and they were a little bit embarrassed about it … so they just deleted the backdoor.”

Asked how GitHub should respond, Ayrey mused, “If a platform makes a vulnerability, documents it, and explains that this is something that you should be aware of that’s a known risk, does that make it less of a vulnerability?

“What I would probably advocate for, if I worked there, is that this fork pool isn’t shared between forks, that the commits that you push to one fork can’t be downloaded through another fork. The other thing that I would probably advocate for is a new feature to be built that allows you to actually permanently delete commits and not just leave them dangling.”

Truffle Security argues that GitHub should reconsider its position because the average user expects there to be a distinction between public and private repos in terms of data security, which isn’t always true. And there’s also the expectation that the act of deletion should remove commit data, which again has been shown to not always be the case.

A GitHub spokesperson told The Register, “GitHub is committed to investigating reported security issues. We are aware of this report and have validated that this is expected and documented behavior inherent to how fork networks work. You can read more about how deleting or changing visibility affects repository forks in our documentation.” ®

>>> Read full article>>>
Copyright for syndicated content belongs to the linked Source : The Register – https://go.theregister.com/feed/www.theregister.com/2024/07/25/data_from_deleted_github_repos/

Tags: DeletedGitHubtechnology
Previous Post

NASA sends 4K video from a flying plane to the ISS using lasers

Next Post

OpenAI unveils AI search engine SearchGPT – not that you’re allowed to use it yet

Reformulation of general relativity brings it closer to Newtonian physics – Physics World

Reformulation of general relativity brings it closer to Newtonian physics – Physics World

September 7, 2025
Trump’s Economy Fails Arkansans as Unemployment Reaches Four-Year High – SWARK Today

Trump’s Economy Fails Arkansans as Unemployment Reaches Four-Year High – SWARK Today

September 7, 2025
Victor Garber on his viral “And Just Like That” toilet scene: ‘I was delighted to be doing something ridiculous’ (exclusive) – yahoo.com

Victor Garber on his viral “And Just Like That” toilet scene: ‘I was delighted to be doing something ridiculous’ (exclusive) – yahoo.com

September 7, 2025
Heroes on the Hill event addresses mental health for vets, first responders – CBS News

Heroes on the Hill: Tackling Mental Health Challenges for Vets and First Responders

September 7, 2025

Trump signs executive order creating ‘state sponsor of wrongful detention’ designation – CNN

September 7, 2025
Ecology issues $738K penalty against downtown Walla Walla Chevron owner – Union-Bulletin

Ecology issues $738K penalty against downtown Walla Walla Chevron owner – Union-Bulletin

September 6, 2025
What the science says about acetaminophen, pregnant mothers and autism – NBC News

What the science says about acetaminophen, pregnant mothers and autism – NBC News

September 6, 2025
RFK Jr accused of ‘reckless disregard for science and the truth’ in Senate hearing – The Guardian

RFK Jr. Faces Fierce Backlash for ‘Reckless Disregard for Science and Truth’ in Heated Senate Hearing

September 6, 2025
Start The Go-Go Years Today: Ignite Your Early Retirement Lifestyle – Forbes

Start The Go-Go Years Today: Ignite Your Early Retirement Lifestyle – Forbes

September 6, 2025
When Sports Teach More Than Skills – American Enterprise Institute

When Sports Teach More Than Skills – American Enterprise Institute

September 6, 2025

Categories

Archives

September 2025
MTWTFSS
1234567
891011121314
15161718192021
22232425262728
2930 
« Aug    
Earth-News.info

The Earth News is an independent English-language daily published Website from all around the World News

Browse by Category

  • Business (20,132)
  • Ecology (810)
  • Economy (829)
  • Entertainment (21,706)
  • General (16,893)
  • Health (9,870)
  • Lifestyle (841)
  • News (22,149)
  • People (830)
  • Politics (835)
  • Science (16,039)
  • Sports (21,327)
  • Technology (15,808)
  • World (810)

Recent News

Reformulation of general relativity brings it closer to Newtonian physics – Physics World

Reformulation of general relativity brings it closer to Newtonian physics – Physics World

September 7, 2025
Trump’s Economy Fails Arkansans as Unemployment Reaches Four-Year High – SWARK Today

Trump’s Economy Fails Arkansans as Unemployment Reaches Four-Year High – SWARK Today

September 7, 2025
  • About
  • Advertise
  • Privacy & Policy
  • Contact

© 2023 earth-news.info

No Result
View All Result

© 2023 earth-news.info

No Result
View All Result

© 2023 earth-news.info

Go to mobile version