Content Injection Attack on GitHub

GH just fixed it, but there&#x27;s a snapshot from few hours ago: <a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20240608060046&#x2F;https:&#x2F;&#x2F;github.com&#x2F;younesbram&#x2F;younesbram" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20240608060046&#x2F;https:&#x2F;&#x2F;github.co...</a>

You can see in the commit log from on <a href="https:&#x2F;&#x2F;github.com&#x2F;younesbram&#x2F;younesbram&#x2F;commit&#x2F;4282312e4ec38ab20bb5469cc298b24e142d99d5">https:&#x2F;&#x2F;github.com&#x2F;younesbram&#x2F;younesbram&#x2F;commit&#x2F;4282312e4ec3...</a> where the first PoC commit is pushed up.<p>The thing I find interesting is that this wasn&#x27;t a random discovered; like, you look at the first commit in the sequence and you&#x27;ll see.<p>&gt; \ce{$\unicode[goombafont; color:red; pointer-events: none; ...<p>ie. This isn&#x27;t some random chance discovery.<p>This is someone looking to use a specific exploit with the ```math tag, already certain that there&#x27;s some way of doing it.<p>How strange.

I think the \unicode CSS injection used here was reported to the MathJax library a few months ago - <a href="https:&#x2F;&#x2F;github.com&#x2F;mathjax&#x2F;MathJax&#x2F;issues&#x2F;3129">https:&#x2F;&#x2F;github.com&#x2F;mathjax&#x2F;MathJax&#x2F;issues&#x2F;3129</a>

Explanation for this with a better link: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=40615804">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=40615804</a>

Source-code: <a href="https:&#x2F;&#x2F;raw.githubusercontent.com&#x2F;younesbram&#x2F;younesbram&#x2F;main&#x2F;readme.md" rel="nofollow">https:&#x2F;&#x2F;raw.githubusercontent.com&#x2F;younesbram&#x2F;younesbram&#x2F;main...</a><p>(Injection in LaTeX math tags)

I don&#x27;t get this. It shows some mangled text that looks like defaced CSS, accompanied by the error message “Extra open brace or missing close brace”. How is this content injection?<p>But the rescue murloc is cute.

Saw this last night (in Europe), was posted with a different image<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=40614571">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=40614571</a><p>but that one of course stopped working too<p>working snapshot (mildly nsfw):<p><a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20240607215223&#x2F;https:&#x2F;&#x2F;github.com&#x2F;stong" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20240607215223&#x2F;https:&#x2F;&#x2F;github.co...</a><p>there&#x27;s another one from 2 hours earlier but that misses the cool rotating cube.

Does this still work? Opened in Safari and don’t see anything out of place

Other than I love Samy, are many real-world examples of XSS being exploited for massive takeover of some service? I can&#x27;t say I remember any news of a &quot;website&#x2F;service totally taken over due to XSS.&quot;

So this opened in my GitHub iOS app at first and I was confused.

Shame that either GitHub doesn’t have a bug bounty, or their program isn’t good enough to entice people to use it

Funny at first, but this could have been exploited maliciously by let&#x27;s displaying a message telling the user he has been disconnected and redirecting him to a phishing page.

Looks like this has been patched

Well done