Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 25 Jun 2024 12:15:47 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Fwd: [siren] Reputation Farming Using Closed Github Issues / PRs




-------- Forwarded Message --------
Subject: [siren] Reputation Farming Using Closed Github Issues / PRs
Resent-Date: Mon, 24 Jun 2024 15:29:38 -0700
Resent-From: bpursell@...uxfoundation.org
Date: Mon, 24 Jun 2024 18:29:26 -0400
From: Bennett Pursell <bpursell@...uxfoundation.org>
Reply-To: siren@...ts.openssf-vuln.org, bpursell@...uxfoundation.org
To: siren@...ts.openssf-vuln.org

Closed Github Issues / Pull Request Activity
Reputation Farming Using Closed Github Issues / PRsCVE ID (if applicable):

none
Description:

Maintainers have reported in discussions on OpenSSF's Slack suspicious
activity in OSS repositories especially in Github against closed issues and
Pull Requests.  This includes commenting or approving on these closed
items.  This can lead to the accounts at question being able to pad their
Github account reputation by seeming to have contributed to those projects.

Reputation farming may seem benign, but in the wake of a number of recent
incidents, OSS maintainers are recommended to have increased awareness of
anyone attempting to gain trust illegitimately.

TTPs/IoCs (if applicable)

    -

    Long-closed and approved Pull-Requests and issues being approved again
    or commented on by users who are not members or contributors to projects
    -

    Non-contributors with no real involvement in projects show seemingly
    significant involvement in OSS projects

Recommended Actions:

    -

    Monitor repository activity and report users who take part in this
    behavior
    -

    Lock old issues / pull requests / discussions
    -


       https://docs.github.com/en/communities/moderating-comments-and-conversations/locking-conversations
       -


       https://docs.gitlab.com/ee/user/discussions/#prevent-comments-by-locking-the-discussion
       -

       Github actions exist to do this automatically after a set period of
       inactivity

Known to be actively exploited?

Yes for reputation farming, further use of this for attacks unknown
Date Added:

June 24, 2024
Resources & Notes

    -

    Discussion on OpenSSF Slack:
    https://openssf.slack.com/archives/C019M98JSHK/p1719226970214779?thread_ts=1719225074.824219&cid=C019M98JSHK
    -

       Join the OpenSSF Slack: http://slack.openssf.org/
       -

    Example of existing Github Actions to lock old threads:
    https://github.com/marketplace/actions/lock-threads




Thanks,

Bennett Pursell
OpenSSF


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1): https://lists.openssf-vuln.org/g/siren/message/1
Mute This Topic: https://lists.openssf-vuln.org/mt/106860104/8539914
Group Owner: siren+owner@...ts.openssf-vuln.org
Unsubscribe: https://lists.openssf-vuln.org/g/siren/unsub [alan.coopersmith@...cle.com]
-=-=-=-=-=-=-=-=-=-=-=-

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.