GitHub Design Flaw Retains Deleted, Private Repos

Researchers have uncovered a concerning privacy and security flaw on GitHub, where deleted and private repositories are retained. Although this may seem like a new revelation, GitHub has actually been transparent about this design flaw in its Privacy Policy.

Security Issue With GitHub Retaining Private And Deleted Data

In a recent blog post, researchers from Truffle Security identified a security flaw (which was ultimately a design flaw) on GitHub.

The issue lies in the design of GitHub, where deleted or private repositories and data remain accessible after being deleted. This means that users, including organizations, who delete data or repositories after forking them, assuming that the data is permanently removed, are mistaken. The researchers found that anyone can access the relevant commit to retrieve the data. Here’s how it works.

This data exposure not only applies to deleted fork data, but also to accessing deleted forks from public repositories. Additionally, if a user forks someone’s repository, and the user commits data to it after forking, then deletes the entire repository without syncing, the data remains accessible.

In both scenarios, all a user needs to retrieve deleted data is the commit ID. Below is a demonstration of how a user can access deleted repositories.

Testing these scenarios even revealed a private key for an organization employee’s GitHub account from a deleted repository to the researcher. The researchers described this behavior as follows:

The implication here is that any code committed to a public repository may be accessible forever as long as there is at least one fork of that repository.

Similarly, an upstream public repository exposes data from a private fork. This poses a significant risk for organizations that share open-source tools via public repositories while maintaining internal private forks. The following video demonstrates this scenario.

Truffle Security has named this phenomenon Cross Fork Object Reference (CFOR) because it allows explicit access to commit data from other deleted or private forks, similar to the IDOR flaw.

GitHub Is Transparent About The ‘Design Flaw’

Following this discovery, the researcher proceeded with responsible disclosure with GitHub regarding this security issue. However, what initially seemed like a flaw turned out to be GitHub’s design feature. In fact, GitHub already mentions this behavior in its guide.

Therefore, users should be aware that simply deleting data from GitHub does not permanently remove it. It is important to remain vigilant when sharing sensitive data, such as private keys, on GitHub repositories. If private keys are leaked, researchers recommend key rotation as a precautionary measure.

Share your thoughts in the comments below.