A recent vulnerability found within GitHub Codespaces has exposed a potential risk for repository takeover through malicious manipulations of GitHub Copilot instructions. Orca Security has highlighted how this flaw could have allowed attackers to hijack repositories by embedding harmful directives within a GitHub issue.
Understanding the Codespaces Vulnerability
The cybersecurity firm revealed that attackers could exploit this vulnerability by triggering passive prompt injections via GitHub issues. This would enable them to instruct Copilot to discreetly leak a user’s GitHub token, posing a significant security threat.
Orca Security detailed a method where an attacker manipulates Copilot within a Codespace to check out a specially crafted pull request containing a symbolic link to an internal file. This setup could force Copilot to read from that file and, through a remote JSON schema, send sensitive GITHUB_TOKEN data to a remote server.
Mechanics of the RoguePilot Attack
Codespaces, a cloud-based development environment powered by Visual Studio Code, integrates Copilot for AI-assisted coding suggestions. Orca Security dubbed the attack ‘RoguePilot,’ leveraging various Codespaces features intended to enhance usability, along with Copilot’s robust integration.
Attackers could manipulate an issue’s description with HTML comments to conceal malicious content, thus slipping harmful Copilot instructions past developers who might otherwise notice them during code reviews.
Because Visual Studio Code settings allow fetching JSON schemas from the web by default in Codespaces, attackers could exploit these configurations to append sensitive data to a schema URL, facilitating data exfiltration.
Exploiting GitHub Tokens and Symbolic Links
In addition to manipulating issue descriptions, attackers could exploit GitHub’s handling of symbolic links within repositories. These links may point to sensitive data and, if followed, could be used to access or extract information.
The GITHUB_TOKEN environment variable, automatically generated and granting read and write access to a repository, was a primary target. Orca demonstrated a scenario where a malicious prompt directs Copilot to execute actions that gather the GITHUB_TOKEN within a JSON file, achieving repository control without needing developer authorization.
Orca’s research illustrated a feasible chain of attack, combining issue text bound to Copilot, repository symlinks reaching shared runtime files, and automated JSON schema downloads, enabling the exfiltration of Codespaces GITHUB_TOKEN and complete repository takeover.
GitHub has since addressed and patched this vulnerability following notification from Orca Security, mitigating the potential threat.
