Latest Posts

Stay in Touch With Us

[vc_empty_space height=”9px”]

For Advert Placement;


Follow us on social Media

  /  Tech   /  Security   /  GitHub Fixes ‘High’ Severity Security Lapse Reported By Google Project Zero
Project Zero

GitHub Fixes ‘High’ Severity Security Lapse Reported By Google Project Zero

Google’s Project Zero team is committed to finding security lapses in the company’s own software; as well as those developed by other firms. Its methodology involves privately reporting flaws to vendors; and giving them 90 days to fix them before public disclosure. Based on how serious the situation is; this deadline may be pushed farther or brought closer according to the group’s standard guidelines.


At the beginning of November, Google publicly disclosed a ‘high’ severity security issue in GitHub; following the GitHub’s inability to fix it in 104 days – more than the standard time frame. However, GitHub users will now be pleased to know that the security hole has been plugged.


The security flaw at the time was that workflow commands – which act as a communication channel between executed actions and the Action Runner – in GitHub Actions are extremely susceptible to injection attacks. Google Project Zero’s Felix Wilhelm, who first called out the security flaw; stated that the way workflow commands are applied is ‘fundamentally insecure’.

Also Read:
– GitHub: World’s Development Platform Launches Mobile Version
DMCA Takes Down GitHub Open Source Youtube-dl Software
– GitHub Reduces Subscription Prices, Offers Free Private Repositories For Unlimited Collaborators

A temporary way around it would be to deprecate the command syntax; whereas a permanent solution would involve moving workflow commands to some out-of-bound channel; but that is also tricky because it would break dependent code. Google publicly disclosed the issue on November 2 following GitHub’s failure to fix the issue in the allotted 104 days.


Apparently, this has put some pressure on the company as the vulnerability has now been patched. The patch notes indicate that the fix is in line with Wilhelm’s proposed short-term solution:

* Disabled add-path and set-env runner commands (#779)
* Updated dotnet install scripts (#779)


The problem was fixed by GitHub a few days ago but has now been validated by the Google Project Zero team and has been marked as such on the issue repository. This brings the list of open issues reported by the security team down to nine. It includes software developed by numerous vendors including Microsoft; Qualcomm; and Apple. The only open issue present in Google’s own software is related to a pointer leak on Android; but the status of this ‘medium’ severity flaw has been open since September 2016.


For your daily dose of tech, lifestyle, and trending content, make sure to follow Plat4om on Twitter @Plat4omLive, on Instagram @Plat4om, on LinkedIn at Plat4om, and on Facebook at Plat4om. You can also email us at and join our channel on Telegram at Plat4om. Finally, don’t forget to subscribe to our YouTube channel HERE.

Post a Comment