A significant vulnerability in GitHub’s Agentic Workflows has been identified, potentially allowing malicious actors to access sensitive repository information without authorization. This discovery was made public by Noma Labs, highlighting critical security concerns for users relying on this automation tool.
Understanding GitHub Agentic Workflows
GitHub Agentic Workflows is a tool that enables users to create workflows using natural language in markdown formats. These workflows are then executed by AI agents as GitHub Actions, streamlining interactions with code repositories. However, a flaw dubbed ‘GitLost’ has been discovered, putting both public and private repositories at risk.
The Mechanics of the GitLost Vulnerability
The GitLost vulnerability arises when unauthorized users insert hidden prompts within crafted GitHub Issues on public repositories. If these repositories belong to organizations maintaining private repositories, the AI agent might execute these prompts, exposing private data. Noma Labs found that the vulnerability was triggered by workflows listening to issues.assigned events, allowing read access to both public and private data.
Exploiting this flaw required no advanced skills. An attacker merely had to post an issue in a public repository managed by an organization utilizing GitHub’s Agentic Workflow. This issue could then manipulate the agent into extracting sensitive information, such as Readme.md files, and posting them publicly.
Security Implications and Recommendations
Despite existing security measures, this vulnerability was successfully exploited through varied approaches, one notably involving the addition of the word ‘additionally’. Noma Labs equates these indirect prompt injections to SQL injections in web applications, stressing the need for robust defense mechanisms.
In response, Noma Labs advises organizations to treat all user-provided content as potentially dangerous. They recommend minimizing agent permissions, controlling public postings, and thoroughly sanitizing inputs before they are processed by AI agents. GitHub has been notified of these findings to improve their security measures.
As AI systems become more prevalent, vulnerabilities like GitLost emphasize the importance of proactive security strategies to safeguard sensitive information. Organizations are encouraged to remain vigilant and implement protective measures to mitigate risks associated with AI-driven workflows.
