Github Data Exposure and Accessing Blocked Data using the GraphQL Security Design Flaw

TL;DR

This paper demonstrates how an ethical hacker can exploit a security flaw in Github's GraphQL API to access data from repositories that are disabled or blocked due to payment issues or sanctions, revealing a significant security vulnerability.

Contribution

The study uncovers a security design flaw in Github's GraphQL API that allows access to blocked repositories, highlighting a critical vulnerability in access control mechanisms.

Findings

Blocked repositories can be accessed via GraphQL API

Security flaw enables bypassing repository restrictions

Potential risk for data exposure and misuse

Abstract

This research study was conducted to illustrate how it is easily possible to get data access to disabled or blocked repositories in Github using GraphQL. There are situations in which you can lose access to your Github repositories; When you use the paid version of Github services and do not pay the monthly payment or another situation is that when you use Github from the countries in the United States sanction list. Having an insecure repository with malicious usages can also put your repository in Github blacklist. In all of these situations, Github will block and disable your repository and you will lose access to your files, codes and project assets. Here, we will discuss the procedure of how an Ethical Hacker can gain access to all those blocked data with GraphQL functionality.