Slurp is a tool used by information security professionals to enumerate AWS S3 buckets. Slurp takes a domain name (example.com) or wordlist as input and cycles through likely S3 bucket names (example.s3.amazonaws.com) looking for any world-read/writeable buckets. S3 buckets are a great find for offensive security pros because they are commonly misconfigured. This leads to things like the famous RNC Voter Records breach or Verizon’s 2017 breach.
Slurp became a popular tool among bug bounty hunters and penetration testers, and it found its way into countless books, blog posts, tweets, and more.
At some point in spring of 2018, the creator of Slurp (bbb31) deleted his Github account. This effectively orphaned Slurp and any other tools posted on bbb31’s Github page. Any blog/tweet/book linked to the tool sent the user to a page like this:
404 error on github.com/bbb31/slurp
Any attempts to clone the repository through git would result in an authentication error, as if the repository were private and could only be accessed via an account that had permission.
Authentication failed for Slurp clone
All the links to Slurp in books, tweets, etc. point specifically to “github.com/bbb31/slurp” — the repo named “slurp” owned by the user named “bbb31.” With the bbb31 account now deleted, what’s stopping someone from simply registering a new account with the same name and creating another repo named “slurp”?
Github user bbb31, back from the dead
Within about five minutes I was the owner of a brand new account named “bbb31” and had created a repository named “slurp.” Now all the blog posts, tweets, etc. pointed to whatever code I wanted. The next time someone cloned and blindly ran the code off of GitHub, it could be whatever code I wanted.
The new source code for Slurp
From August 14th to August 27th, 27 people have cloned the repository. Hundreds more have visited the page, thanks to referrals by theregister.co.uk and others. These are all people that could have been victims of malware, due to the lack of account re-use protections in place by GitHub.
This issue is not new—in fact, it’s been possible since Github’s creation. For a while, Github’s response to security researchers, the public, and a representative of Coalfire was (paraphrasing): “well, don’t delete your account.” Recently, they have implemented some protections for what they consider to be “popular repositories.” This is great for companies like Microsoft that get hundreds of clones every day but still leaves everyone else in hot water. Obviously, it would be best for everyone who gets code off Github to read and review it before they used it, but that is simply not feasible.
Recommendations for Github
- Discontinue username re-use.
- If you want to allow username re-use, change the URL format for repositories. Permalinks, perhaps?
Recommendations for Everyone
- Don’t delete your Github profile if you’ve written code that people rely on (unless you really need to). Instead, wipe it clean and lock it down with a strong password and 2FA.