First reported by BackBox.org
GitLost: GitHub’s AI Agent Tricked Into Leaking Private Repository Data
GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures
By
[email protected] (The Hacker News)
8h agoen
Source
New research shows that a signed Git commit's hash is not the one-of-a-kind name that much of the software world assumes it to be. Given any signed commit, someone without the signing key can mint a second commit with the same files, author, and date, and a valid signature, GitHub still stamps "Verified." Everything a reviewer would check matches. The commit's hash does not. That matters
You might also wanna read
Git Commit Hash Malleability: Attackers Can Forge Verified Signatures Without Access to Signing Keys
This paper demonstrates a critical vulnerability in Git commit signing: an attacker can produce a second, distinct commit with identical tre
Research Reveals Vulnerability in GitHub ‘Verified’ Commits
Cyber Web Spider Blog·7h ago
Using SSH Certificates for Secure Git Commit Signing and Code Authorship Verification
The article discusses the importance of code authorship verification in software development, highlighting the limitations of traditional au

Guest Post: How I Scanned all of GitHub’s “Oops Commits” for Leaked Secrets ◆ Truffle Security Co.
trufflesecurity.com·1y agoGitHub Launches Immutable Releases for Enhanced Software Supply Chain Security
GitHub has introduced immutable releases as a general availability feature, providing enhanced supply chain security. Once a release is mark
GitHub Implements Post-Quantum Secure SSH Key Exchange for Enhanced Git Data Protection
GitHub is introducing post-quantum secure SSH key exchange algorithms (sntrup761x25519-sha512) to enhance security for Git data access. This

Comments
Sign in to join the conversation.
No comments yet. Be the first.