Skip to content

Giteabot account was compromised #4167

Closed
@lafriks

Description

@lafriks

We are currently investigating suspiscious activity from an account with write access priviledge to go-gitea organization. A binary was added to releases across multiple go-gitea repositories. We cleaned up all releases and drop temporarily access from the account. We will investigate futhermore to understand what really happen to prevent it in the future and be transparent with you trough the process. In the meantime, if you find any suspicious activity please report them under this issue.

UPDATE: No source code or other Gitea infrastructure was affected, including https://dl.gitea.io/ so it's safe to use it to download Gitea binaries.

GitHub account that was hacked is under full control and also have set 2FA so this should not happen in future again.

What was done:

  • Most of go-gitea organization repositories new release&tag was created with name 0 and added install.exe binary (13KB in size) to that release that was malicious (from our analysis contained crypto currency miner). All these releases and binaries was deleted within 2-3 hours from when they were added.
  • Also 1.4.2 release windows Gitea .exe binary on GitHub was replaced by same 13K binary as above. So if Gitea is working, you are safe.
  • Just in case we did retag 1.4.2 to trigger CI to rebuild binaries so sha256 will be different now as it was before retag.

We have contacted GitHub but have not received any answer from them, yet

UPDATE2:
No actual gitea binaries were compromised so all hashes mentioned in comments below are safe.

SHA256 of malicious .exe file:
bfc5a0358b1ad76ffbc1e1f4670bd3240536e2fbac88272cee3003322a15fffe

UPDATE3:
v1.4.2 has been rereleased at about 2018-06-07 20:00:00 UTC+08

Metadata

Metadata

Assignees

No one assigned

    Labels

    issue/criticalThis issue should be fixed ASAP. If it is a PR, the PR should be merged ASAPtopic/securitySomething leaks user information or is otherwise vulnerable. Should be fixed!

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions