Weaponizing Dependabot: Pwn Request at its finest
Posted by ketralnis@reddit | programming | View on Reddit | 4 comments
Posted by ketralnis@reddit | programming | View on Reddit | 4 comments
nelmaven@reddit
Who thought that auto-merging PRs from a fork would be a good idea?
LargeHandsBigGloves@reddit
Well if you read the article it's not auto merged from a fork intentionally 😂 that's the whole basis of the attack. Read far enough to get to recreate
turbothy@reddit
Okay, I'll bite after reading. Whoever thought auto-merging PRs was a good idea deserves everything that happens to them. Eejits.
LargeHandsBigGloves@reddit
This could be guarded against by adding a second condition to the actor check, but who would do that prior to reading this writeup? I'd seen the referenced GitHub actions abuse article but had no idea it would be so plausible - usually I roll my eyes at the real-world requirements to take advantage of some 0 day exploits, like physical access to the cpu for heart bleed I think it was.