GitHub Desktop Credential Leak Vulnerability via Malicious Remote URLs

A vulnerability in GitHub Desktop versions 3.3.15 and through 3.4.12 allows for unauthorized access to user credentials. This issue arises when an attacker convinces a user to clone a repository, either directly or through a submodule, using a maliciously crafted remote URL. GitHub Desktop relies on Git for network operations like cloning and fetching. When Git encounters a remote that requires authentication, it requests credentials from GitHub Desktop using the git-credential protocol. The vulnerability lies in the misinterpretation of the credential request, causing GitHub Desktop to send credentials for a different host than the one currently being accessed by Git. As a result, sensitive information such as GitHub usernames, OAuth tokens, or credentials for other Git remote hosts stored in GitHub Desktop could be improperly transmitted to an unrelated host.

Impact

Exfiltration of GitHub usernames and OAuth tokens, or other Git remote host credentials stored in GitHub Desktop, to an unrelated host.

Remediation

Users should update to GitHub Desktop version 3.4.12 or greater. If there is a suspicion of having interacted with a repository that could have triggered this vulnerability, revoke the GitHub Desktop OAuth token.