Author: Catalin Cimpanu / Source: BleepingComputer
Three of the most popular version control systems (VCSs) used in managing source code projects are vulnerable to a flaw that allows an attacker to run code on a victim’s platform, potentially leading to the theft of source code or the hijacking of the underlying machine.
Discovered by Joern Schneeweisz, a security researcher for Recurity Labs, the flaw relies on tricking users into cloning (copying) a source code project via an “ssh://” link.
Social engineering not necessary to exploit the flaw
Schneeweisz says that a URL in the form of “ssh://-oProxyCommand=some-command” allows an attacker to execute commands on the computer of the user performing the clone operation.
“While it might be tricky to convince a user to clone a repository with a rather shady…
Click here to read more