Github Data Exposure and Accessing Blocked Data using the GraphQL Security Design Flaw
This exposes a critical vulnerability affecting GitHub users who lose repository access due to payment issues, sanctions, or blacklisting, posing a security risk for data protection.
The study demonstrated a GraphQL security flaw in GitHub that allows unauthorized access to blocked or disabled repositories, enabling retrieval of files, code, and project assets that should be inaccessible.
This research study was conducted to illustrate how it is easily possible to get data access to disabled or blocked repositories in Github using GraphQL. There are situations in which you can lose access to your Github repositories; When you use the paid version of Github services and do not pay the monthly payment or another situation is that when you use Github from the countries in the United States sanction list. Having an insecure repository with malicious usages can also put your repository in Github blacklist. In all of these situations, Github will block and disable your repository and you will lose access to your files, codes and project assets. Here, we will discuss the procedure of how an Ethical Hacker can gain access to all those blocked data with GraphQL functionality.