Replies: 1 comment
-
Any updates on this? |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Any updates on this? |
Beta Was this translation helpful? Give feedback.
-
Similar to ohmyzsh, Codecov provides a bash script for their users that is dynamically retrieved every time a CI job executes.
Their bash script was recently compromised and modified to include malicious code. A user caught this compromise when they performed checksum validation before running the script on their end (here's an example validation command to run in the context of Codecov).
ohmyzsh should provide an out-of-band SHA-512 hash so users can detect potential malicious modification of ohmyzsh code during e.g. updates that occur (MD5 and SHA-1 are known to be vulnerable to collision attacks).
Alternatively, or additionally, ohmyzsh should digitally sign their scripts using a private key that is stored out-of-band from where the script is stored and delivered from.
(Doing out-of-done properly means an attacker would need to compromise two separate systems/credentials/etc. in order to both compromise the script and the checksum/digital signature private key)
HTTPS helps prevent a traffic interception attack where an attacker could modify or replace the script before it gets sent back to the client; however, it does not protect against an attacker modifying the script in the place where it's being distributed from.
Given the popularity of ohmyzsh, a compromise of ohmyzsh's script could result in a significant compromise of individual user's as well as organizations' networks, internal systems, and sensitive data.
Beta Was this translation helpful? Give feedback.
All reactions