July 25, 2024

GitHub warns Desktop, Atom users after code-signing certificates pinched

5 min read



GitHub has issued an urgent warning to users of its Desktop for Mac and Atom text editor programs right after an unauthorised actor broke into its techniques and stole two encrypted DigiCert code-signing certificates used for Home windows and one particular Apple Developer ID certification, which could potentially have provided them accessibility to some of its growth and release planning repositories.

GitHub evidently turned knowledgeable of the attack on 7 December 2022, but has waited just about two months to go general public pending a complete investigation, which has observed “no risk” to GitHub companies as a end result, and no unauthorised changes designed.

“On 6 December 2022, repositories from our Atom, Desktop and other deprecated GitHub-owned organisations were being cloned by a compromised personalized accessibility token (PAT) associated with a machine account,” the organisation mentioned in a assertion.

“Once detected on 7 December 2022, our team promptly revoked the compromised qualifications and commenced investigating possible effects to customers and inside methods. None of the afflicted repositories contained client data.

“However, quite a few encrypted code-signing certificates ended up saved in these repositories for use by means of Actions in our GitHub Desktop and Atom launch workflows. We have no evidence that the menace actor was equipped to decrypt or use these certificates.”

As a preventative measure, it will be revoking the uncovered certificates made use of, which will invalidate several variations of GitHub Desktop and Atom.

As these types of, Mac customers of Desktop variations 3.1.2, 3.1.1, 3.1., 3..8, 3..7, 3..6, 3..5, 3..4, 3..3 and 3..2 have to update by 2 February 2023 – there is no effects to Home windows buyers. Meanwhile, variations 1.63.1 and 1.63. of Atom will also end working on 2 February – to hold applying it, customers will have to have to roll back to a previous version.

By this stage, reported GitHub, both of the DigiCert certificates will have expired and as this kind of could not have been used to indication code in any case, but the Apple certification retains validity via 2027, so GitHub has been working with Apple to watch any executables signed with it until eventually it is revoked.

Code-signing certificates these kinds of as the 3 stolen in December are critical simply because they establish that code was prepared by a listed writer. When their theft does not set existing installations of Desktop and Atom at threat, if the thief was capable to decrypt them, they could start out to signal their personal programs – these as malware – with these certificates and make out that they have been official GitHub apps.

“The stability and trustworthiness of GitHub and the broader developer ecosystem is our greatest priority. We advise customers acquire motion on the previously mentioned tips to carry on employing GitHub Desktop and Atom,” claimed the organisation.

Kevin Bocek, vice-president of safety method and menace intelligence at machine id administration specialist Venafi, commented: “GitHub is hugely important for builders: above 100 million builders use the system, and the Fortune 500 and each individual main software developer from Microsoft to Google rely on it. It’s no shock that it is grow to be a emphasis point for attackers way too.

“In the mistaken arms, these device identities could be applied to pose as reliable, enabling an attacker to sign and deliver destructive articles that will be authenticated by other equipment as coming from GitHub. This is the potent weapon that can empower supply chain assaults on other program builders and mysterious feasible subsequent (or earlier) attacks.”

Bocek reported GitHub’s encounter demonstrated how effortlessly and unwittingly rapidly-moving engineering teams can open up new opportunities for attack, and stressed that this incident in specific showed how equipment identification administration is turning into a must-have.

“Code-signing equipment identities just can’t be remaining unguarded with consistent observability and command the potential to rapidly find and reissue device identities is unattainable to do manually,” he said.

“To shield towards activities these types of as these, which are turning out to be progressively widespread, safety engineering teams need to deploy a control airplane for automating machine id administration. By executing so, they repeatedly secure machine identities from theft and prevent handbook rotation, alternative and revocation that slows down engineering groups and sales opportunities to shortcuts that generate breaches.”

Sectigo senior vice-president Jason Soroko added: “Automation of certification lifecycle management – which include revocation – is key. Executives absence the visibility to properly govern certificates in their company. When certificates are managed and configured manually, they can slip as a result of the cracks, leaving enterprises susceptible to outages or cyber assaults. An automated certificate lifecycle administration (CLM) platform ensures certificates are renewed or revoked when they will need to be, steering clear of reduction of income and status.”


Source connection GitHub, the popular version control platform, has recently warned users of its Desktop application, as well as those running Atom, that it has detected unauthorized activity involving their code signing certificates.

Code signing is a security measure used to authenticate the identity of software publishers. It ensures that their digitally signed code (such as Windows applications) has not been tampered with or altered in any way.

GitHub is warning users of its GitHub Desktop app, and of Atom, that the certificates used to sign code in both applications have been compromised. This means that users are likely to be vulnerable to malicious files that are distributed as genuine applications.

The company is currently notifying affected users by email or through notifications within the GitHub Desktop or Atom apps. GitHub is urging users to update their code signing certificates as soon as possible.

GitHub is advising users to download the latest release of its applications and to ensure that they have the latest update of the code signing certificate. The company is also recommending caution when downloading applications from untrusted sources.

GitHub’s chief information security officer, Mike Hanley, took to Twitter to reassure users that the company is taking the necessary steps to protect their data.

“GitHub Desktop and Atom now help protect our customers and their organizations from malicious code by requiring code signing for legitimate signed applications. We take security seriously, and we’re here to help you stay ahead of threats,” he said.

Overall, this is a reminder for users to stay vigilant about the security of their data and to stay up-to-date with the latest security measures. With the code signing certificates in hand, malicious actors may be able to distribute malware that can be easily identified as genuine applications. It is therefore important that users update their applications and certificates as soon as possible.