Author

Topic: Just because It’s on GitHub. It doesn’t mean it’s safe> (Read 419 times)

legendary
Activity: 3472
Merit: 10611
Even if it *was* legitimate yesterday does not mean it's legitimate today.
There is large github hack / breach from compromised accounts.

https://motherboard.vice.com/en_us/article/vb9v33/github-bitbucket-repositories-ransomware

-Dave

FWIW this issue is because of wrong usage of git by those "developers". basically they were all storing their credentials in plaintext inside their .git/config which they should never do and also that folder which should not be accessible to anyone was easily obtained!
this is not new either. it has been an issue for years. here is a 2015 article: https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Even if it *was* legitimate yesterday does not mean it's legitimate today.
There is large github hack / breach from compromised accounts.

https://motherboard.vice.com/en_us/article/vb9v33/github-bitbucket-repositories-ransomware

-Dave
legendary
Activity: 3472
Merit: 10611
~
Most of the time the file doesn't even have anything to do with the source code being shown in the repo. Heck, sometimes there isn't even any code. The repo is just empty and they uploaded a random file to make use of the "GitHub" domain.

When the Electrum phishing messages were happening, they were linking files on GitHub for people to download. And all their repo were empty. Being hosted on GitHub means literally nothing.

the good news about these cases is that GitHub is vigilant about these types of malicious usage of their service and if you report them, they close the account and the repository fast enough specially when they are abusing the name of a popular project like Electrum.
so far i have personally reported a handful of these cases and before the day ended it was closed down.
legendary
Activity: 2758
Merit: 6830
Great suggestion. People usually afraid to download files/programs from cloud storages or file sharing websites. But if it's uploaded on Github, most people think that program is safe to use. Open source file unfortunately doesn't mean that program is safe to use. The problem that majority of people don't have skills and knowledge to review every line of code, so they trust in program just because it's open source and uploaded on Github. Personally, I also don't have knowledge to review each line of code, but I don't download random programs. I'm always looking if it's been reviewed by someone already, I also avoid files if it's been uploaded by new user.
Most of the time the file doesn't even have anything to do with the source code being shown in the repo. Heck, sometimes there isn't even any code. The repo is just empty and they uploaded a random file to make use of the "GitHub" domain.

When the Electrum phishing messages were happening, they were linking files on GitHub for people to download. And all their repo were empty. Being hosted on GitHub means literally nothing.
legendary
Activity: 3234
Merit: 1375
Slava Ukraini!
Great suggestion. People usually afraid to download files/programs from cloud storages or file sharing websites. But if it's uploaded on Github, most people think that program is safe to use. Open source file unfortunately doesn't mean that program is safe to use. The problem that majority of people don't have skills and knowledge to review every line of code, so they trust in program just because it's open source and uploaded on Github. Personally, I also don't have knowledge to review each line of code, but I don't download random programs. I'm always looking if it's been reviewed by someone already, I also avoid files if it's been uploaded by new user.
I don't even talk about Play Store. There is so much shit there because everyone can upload programs there after paying small fee and these files are not reviewed by anyone before uploading it. You must be very careful on Google Play.
legendary
Activity: 2702
Merit: 4002
I edited the topic by adding important tips from the comments above (I'm sorry if I've had to cut some parts just for a shortcut.)
I noticed are that many scammers have been using this method to gain trust.
Even if the wallet/app is working, it does not mean that you are safe. "There may be some hidden add-ons to steal your key or clipboard viruses."
legendary
Activity: 2310
Merit: 4085
Farewell o_e_l_e_o
always have a strong AV on your computer if you are found of downloading this hosted files[/li][/list]
Because you mentioned about Virustotal, here we go:
[Guide] Virustotal scan guideline to detect viruses, trojans, malwares, worms
Maybe, someone who have not heard about Virustotal and not known how to use it will see my topic is helpful for their interests.
member
Activity: 406
Merit: 10
The rate at which people trust programmes just because it's on GitHub is surprising, many hackers will take this to their advantage and hide dangerous codes within programmes because they know most people won't bother to check.
copper member
Activity: 1204
Merit: 737
✅ Need Campaign Manager? TG > @TalkStar675
Blindly depending on something isn't a wise decission in my opinion. Nowadays its hard to find secure platforms where there is no chance of getting hacked. As an example its been just few month that playstore have made their rules strict for app listing but you can see lots of worse quality mobile apps still now on there. In previous time it was quite easier for anyone to list their mobile apps on there and most of these apps were bookmark app.

In this modern world everything is getting update day by day. As same as fraudlent activators are also setting their traps on every single places where we they know that its very much trusted to us.
full member
Activity: 168
Merit: 214
WhoTookMyCrypto.com
Yes, open source does not automatically = safe. It just means the source code is available for others to view. People often think sunlight is the best disinfectant but in this case, making something open also means that scammers have access to it.

Perfect example. Fake electrum wallet that was on Github.

For those who are unaware of what happened:
Quote
The attack resulted in legitimate Electrum wallet apps showing a message on users' computers, urging them to download a malicious wallet update from an unauthorized GitHub repository.

The attack began last week on Friday, December 21, and appears to have been temporarily stopped earlier today after GitHub admins took down the hacker's GitHub repository.

Source: https://www.zdnet.com/article/users-report-losing-bitcoin-in-clever-hack-of-electrum-wallets/
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
Don't forget the fact they put their application/installer on commit, rather than releases page.

Code:
https://github.com///releases

2. number of commits. which shows the activity of the project, a scam project doesn't have that many commits. usually scammers make the malicious code and put it up, that's it!

Take note few project have lots of commit on "development" branch, but very few commit on default/master branch because they use squash merging on pull request.
copper member
Activity: 2114
Merit: 1814
฿itcoin for all, All for ฿itcoin.
True, some members fall victim to download malicious file because they think that if a project is hosted on GitHub, it's safe.
Things to be suspicious of are:

1. The profile Age and activityy;
Very many times, the GitHub profile age is a few days or months old with less activity
Here is a scam I uncovered a few days ago with an attempt to spread malware

OWL Coin - Malware in the wallet [DO NOT DOWNLOAD]!!!

If you look at the profile of the so called project developer
He just joined 6 days ago with just only 3 contributions in the last year and the contributions are highlighted by one dot in April and boom wallet is ready  Grin



The three contributions were
- Joined GitHub
- Created their first repository April 27th
- Created 1 commit in 1 repository (projectsowa/coinowl 1 commit)

That was all

2. Wallet link in the ANN is usually set up so that it can auto downloads
This is done so that the user can not see how the GitHub activity looks like and become suspicious

This is the way the scam set up his, as soon as you click on the link, it auto downloads

Code:
https://github.com/projectsowa/coinowl/raw/master/Owlcoin-win64-qt.zip

3.  Files however small they are usually are zipped
This is done so that online virus detectors like virustotal may not be able to detect the malware at times

Some checks users can do
  • Look at the account age
  • Is the activity high in the repository? Are the developers verified and credible?
  • Virustotal might not be 100% accurate but it's sometimes a savior, scan all downloaded files
  • always have a strong AV on your computer if you are found of downloading this hosted files
  • Verify signatures of file releases before installation
  • Simply avoid suspicious and unpopular ICO/Master node project wallet downloads
legendary
Activity: 2128
Merit: 1293
There is trouble abrewing
i have been saying this for ages. these are good methods to assess the "risk" of a project on github:
1. number of starts and number of forks. which shows the popularity of the project and how many people are looking at it. having lower number or nothing at all shows a risky code but having higher although doesn't mean safe but it is a positive sign.
2. number of commits. which shows the activity of the project, a scam project doesn't have that many commits. usually scammers make the malicious code and put it up, that's it!
3. having no source code! GitHub is basically a place where you upload stuff. a lot of these malicious ones use it to only upload their binary or a compressed rar file and not share the code at all.
legendary
Activity: 2702
Merit: 4002
Many members trust random programs because they are open source or found on GitHub.
Have you reviewed each line? Is the file new? Is the user account trusted(have many trusted projects) or has it been newly created? If your answers are unclear, do not download any file or even give some permissions of that application.
I noticed a lot of campaigns used that method.
This warning includes Google Play and Chrome store.


Community Tips:

Quote
Jump to: