Github's CSS Injection Exploit Was Incredible!

Brodie Robertson · Beginner ·🌐 Frontend Engineering ·2y ago

Key Takeaways

GitHub's CSS injection exploit was caused by a lack of proper user input sanitization, allowing users to inject CSS code into their profiles, repos, issues, and pull requests using the math Jax library, which was patched quickly after public disclosure

Full Transcript

over the weekend a bit of a problems discovered with how GitHub handles read me files letting you do things like this maybe you can't tell what's going on yet how about this yes it worked with gifts as well what about this one or you could be a little bit more reasonable and just make it like a Tumblr page this didn't just work on profile readms though it also worked on repo readms as well and you could even make it as obnoxious as this this has since been patched but before that all you needed to add was a line that looked like this this might look fairly complex but most of this is just CSS styling the actual minimal version of the exploit is very simple but we'll get more into how it works in just a bit now the CSS part there was very important because this is what is known as a CSS injection so we all know that through inspect element we can go and add custom CSS on our local side with a CSS injection you are changing it for every other user as well now it's unclear just how long this bug was present on GitHub because the joys of proprietary software development but we do know who originally spotted the bug they go by Cloud over on Twitter that was the first example I showed before and would you at'll be surprised to know that it's a weeb with a lucky star profile picture that spotted the bug because there seems to be a high correlation between being a weeb and being in the security industry now for reference when you spot a bug like this the correct thing to do is go to the platform report the bug give them some period until you disclose the bug and then report it publicly they didn't do this this is the first reporting of the bug and then just started posting about it oh husband you disclosed the vulnerability publicly now we don't have Bounty money and we'll be homeless now to be fair they did have an email discussion with GitHub and it was addressed within about 12 hours or so but they kind of did it in the wrong order allowing us to see things like this enough rambling what actually happened here well to put it simply a lack of proper user input sanitization which is always a recipe for disaster one of the first things I was told in university is assume that every single one of your users is malicious and everything they send you is in some way trying to break your system if something they can send you is going to affect other users or going to affect your system in a negative way make sure you check it make sure you sanitize it and make sure it is squeaky clean before you do anything with that data now GitHub like most websites out there relies on some open- Source libraries the one that we care about today is called math Jacks this is a really popular library for taking lch math ML and asky math notation and then converting it into something that can be displayed on a web page as we saw here this math bit this indicates that what we doing next is going to be something that math Jax needs to handle now the intended purpose of math Jacks is displaying things like mathematical equations but there was a bit of a problem with how it was passing this statement now the main part that we care about here is from this Unicode section onwards and this blog post here does a fantastic job at breaking down the problem also including a very very minimal example how to achieve the injection GitHub uses math Jacks to render math expressions presented in any GitHub markdown content such as read me files issue comments and po request comments yes it was also working in those as well and one of the many LC macros that math Jack support is called Unicode it allows the rendering of a Unicode character it also allows the font style of the character to be customized by letting the user pass in a custom font family like so so here we are saying draw this character here with this font turns out it is possible to inject any inline CSS within the square brackets so you can include the font family and then all of this other CSS the CSS is then injected to the style attribute of the mtex element that displays the Unicode character many have taken this opportunity to Rice up the GitHub profile Pages this will make a lot more if I show you the HTML so when we setting the font family here the only thing that is supposed to be getting set in the style option here is font family in this case to my font but it's naively taking everything in the square brackets and then just dumping it in the style setting so if you include a semicolon here which means the end of a statement you're basically breaking out of this setting right here and then including anything else you want so in this case all of this stuff and then you get something that looks more like this and then you can go even further because CSS styling let you set a background image now you can see the problem this blog post goes very deep into the code behind math Jacks that made all of this possible and I highly highly recommend you go and read it for yourself but since it is just walls and walls of text I'm going to jump ahead to the explanation let's go through the attack step by step step the code the back uni code treats anything in between the square brackets so all of this right here as the name of the font family and extracts that entire string as the value for the font family the value is stored as an attribute of MML node under font family chtml goes to the tree of MML node and Encounters this node to chtml is called on that node handle Styles and thus this. styles.css text is called as a result this transforms that string into this right here because it assumes the font family only stores the valid font family names but it doesn't realize that it's actually just turned into a full CSS style setting including everything else the produced string is then set as the value of the style attribute of the mtex node via set attribute CSS successfully injected nowhere along this chain does it actually check what is inside the square brackets it just assumes that because this is the way that this setting is supposed to be used nothing else is going to be included the one thing not explained here is this little bit at the end this is basically just saying draw this character in this case it's saying draw the empty character draw nothing there now do you want to know one of the two best parts about this this exploit never needed to be possible because you don't need to set the font family by setting the entire style there is a system in JavaScript for just setting specifically the font family and when you set it like this it automatically does sanitization so if you include something more than just the font family it's going to assume it's an invalid font going through CSS text and setting the entire Style is the harder way to do it it is the more roundabout way of doing this now this was the initial form of the exploit but it did get patched and then a slightly different variation started to exist all that happened is this slash right here was change with this string what does that string mean well it's the hex code for backslash initially they didn't properly patch this out and they just patched out specifically writing backslash you can inject backslash in other ways and that got the exploit working again at this point it seems like it is completely patched on github's side if you go to a repo or a profile that is making use of this you're going to see this error message the following macros are not allowed Unicode and then the rest of the string being written out here now I said there were two best parts here and I've only told you one of them so let's look at the second one this is not a new issue this got reported on November 13th 2023 on the math Jack repo this is marked as open but the reason it is marked as open is it's merged into the development Branch it has been in the development Branch since November 21st 2023 this has been patched for over 7 months but that does not mean that GitHub was running an older version they could be running the most up-to-date version and it wouldn't have fixed anything because the latest stable release was June 9th 2022 almost a year and a half prior to the bug being patched now there is a Beta release that came out on May 1st that does have the patch inside of it but a platform like GitHub probably shouldn't be running beta libraries so they had no way of running the patched version and no way of knowing it had already been patched this was a dumb little problem that never really needed to happen in the first place but it got fixed so quickly that really it didn't do any damage and yes there are certain things that can be done with CSS which could be problematic but hey what we saw was fun and that's all that matters so if you saw this when it was happening uh let me know your thoughts thoughts down below did you run into any repos that you were very surprised why they looked weird and did you make your repo look weird I would love to know and if there happens to be an arch do send it to me on like Twitter or something on Master on or Discord I want to see it anyway that's going to be it for me so if you like the video go like the video and if you really like the video and you want to become one of these amazing people over here Che out the patreon grabs baray Link in the description down below that's going to be it for me and inject the CSS right into my veins [Music]

Original Description

Over the weekend Github had a bit of a CSS injection problem, this allowed people to do some very amusing ricing of there Github Profiles, repos, issues and pull requests, sadly it got patched pretty quickly ==========Support The Channel========== ► Patreon: https://brodierobertson.xyz/patreon ► Paypal: https://brodierobertson.xyz/paypal ► Liberapay: https://brodierobertson.xyz/liberapay ► Amazon USA: https://brodierobertson.xyz/amazonusa ==========Resources========== Example 1: https://x.com/cloud11665/status/1799136093071163396 Example 2: https://x.com/kuromimoder/status/1799166965417984273 Example 3: https://x.com/yacineMTB/status/1799232037691564432 Example 4: https://x.com/luciascarlet/status/1799226605950116182 Example 5: https://x.com/gf_256/status/1799197013629645101 MathJAX Repo: https://github.com/mathjax/MathJax Exploit Breakdown: https://kennethnym.com/blog/mathjax-css-injection/ =========Video Platforms========== 🎥 Odysee: https://brodierobertson.xyz/odysee 🎥 Podcast: https://techovertea.xyz/youtube 🎮 Gaming: https://brodierobertson.xyz/gaming ==========Social Media========== 🎤 Discord: https://brodierobertson.xyz/discord 🐦 Twitter: https://brodierobertson.xyz/twitter 🌐 Mastodon: https://brodierobertson.xyz/mastodon 🖥️ GitHub: https://brodierobertson.xyz/github ==========Credits========== 🎨 Channel Art: Profile Picture: https://www.instagram.com/supercozman_draws/ #Linux #Github #OpenSource #FOSS #javascript #webdeveloper 🎵 Ending music Track: Debris & Jonth - Game Time [NCS Release] Music provided by NoCopyrightSounds. Watch: https://www.youtube.com/watch?v=yDTvvOTie0w Free Download / Stream: http://ncs.io/GameTime DISCLOSURE: Wherever possible I use referral links, which means if you click one of the links in this video or description and make a purchase I may receive a small commission or other compensation.
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from Brodie Robertson · Brodie Robertson · 0 of 60

← Previous Next →
1 This Linux Patch Removes Spectre & Meltdown Protections
This Linux Patch Removes Spectre & Meltdown Protections
Brodie Robertson
2 Linux's Most Degenerate Terminal Application
Linux's Most Degenerate Terminal Application
Brodie Robertson
3 You Can Buy Modern Linux Distros On A DVD??
You Can Buy Modern Linux Distros On A DVD??
Brodie Robertson
4 Bypass Paywalls Vanishes From Firefox Addon Store
Bypass Paywalls Vanishes From Firefox Addon Store
Brodie Robertson
5 CoreJS: The Web & Open Source Are Broken!
CoreJS: The Web & Open Source Are Broken!
Brodie Robertson
6 Begone GTK4, Long Live The New King GTK5
Begone GTK4, Long Live The New King GTK5
Brodie Robertson
7 Flathub Finally Adds Much Needed Flatpak Feature
Flathub Finally Adds Much Needed Flatpak Feature
Brodie Robertson
8 Google Should Be Worried About ChatGPT Bing
Google Should Be Worried About ChatGPT Bing
Brodie Robertson
9 How To Never Improve The Linux Wayland Experience
How To Never Improve The Linux Wayland Experience
Brodie Robertson
10 Fedora Linux Unveils New 5 Year Roadmap
Fedora Linux Unveils New 5 Year Roadmap
Brodie Robertson
11 Linux Desktop Randomly Stuttering? Here's Why #shorts
Linux Desktop Randomly Stuttering? Here's Why #shorts
Brodie Robertson
12 Why We Need Even More Linux Distros!?!
Why We Need Even More Linux Distros!?!
Brodie Robertson
13 This Wayland Change Will Improve Linux Forever
This Wayland Change Will Improve Linux Forever
Brodie Robertson
14 Ubuntu Linux Was Once Spyware Says EFF & Stallman
Ubuntu Linux Was Once Spyware Says EFF & Stallman
Brodie Robertson
15 Rise Of A New Kind Of Linux Package Manager
Rise Of A New Kind Of Linux Package Manager
Brodie Robertson
16 Rolling Release Linux Distro Probably Isn't For You
Rolling Release Linux Distro Probably Isn't For You
Brodie Robertson
17 Ubuntu Flavors Put An End To Shipping Flatpak
Ubuntu Flavors Put An End To Shipping Flatpak
Brodie Robertson
18 WINE Will Finally Run On Wayland NATIVELY!!
WINE Will Finally Run On Wayland NATIVELY!!
Brodie Robertson
19 No ZDNET, Linux 6.2 WILL NOT Run On M1 Macs
No ZDNET, Linux 6.2 WILL NOT Run On M1 Macs
Brodie Robertson
20 Ubuntu Linux Announces New Kind Of Mini ISO??
Ubuntu Linux Announces New Kind Of Mini ISO??
Brodie Robertson
21 Fedora Linux Finally Kills Off Delta RPM
Fedora Linux Finally Kills Off Delta RPM
Brodie Robertson
22 Linus Torvalds Is Sick Of Useless Git Merges
Linus Torvalds Is Sick Of Useless Git Merges
Brodie Robertson
23 Arch Linux Bricks Dual Boot With One Kernel Change
Arch Linux Bricks Dual Boot With One Kernel Change
Brodie Robertson
24 Linux AppImage Finally Addresses Greatest Flaw!!
Linux AppImage Finally Addresses Greatest Flaw!!
Brodie Robertson
25 Refusing To Use Windows For "Religious Reasons"
Refusing To Use Windows For "Religious Reasons"
Brodie Robertson
26 GNOME Shell & Mutter Finally Drop GTK3!!
GNOME Shell & Mutter Finally Drop GTK3!!
Brodie Robertson
27 11 Documents Showing Microsoft Tried To Destroy Linux
11 Documents Showing Microsoft Tried To Destroy Linux
Brodie Robertson
28 Manjaro Linux Is The Joke That Never Ends
Manjaro Linux Is The Joke That Never Ends
Brodie Robertson
29 The New Ubuntu Linux "Flavor" We All Expected
The New Ubuntu Linux "Flavor" We All Expected
Brodie Robertson
30 NEVER Write Git Commit Messages With ChatGPT
NEVER Write Git Commit Messages With ChatGPT
Brodie Robertson
31 Why GNOME? Why Didn't KDE Takeover Linux?!?
Why GNOME? Why Didn't KDE Takeover Linux?!?
Brodie Robertson
32 Discord Tried To END This Reverse Engineered Server
Discord Tried To END This Reverse Engineered Server
Brodie Robertson
33 Mesa 23 Makes Linux Shader Stuttering A Thing Of The Past
Mesa 23 Makes Linux Shader Stuttering A Thing Of The Past
Brodie Robertson
34 Linux Kernel Broke A Feature NOBODY Uses!
Linux Kernel Broke A Feature NOBODY Uses!
Brodie Robertson
35 Manjaro Broke Asahi Linux... AGAIN!!!
Manjaro Broke Asahi Linux... AGAIN!!!
Brodie Robertson
36 Linux Hasn't Become Complicated & Limiting | Distrotube Reply
Linux Hasn't Become Complicated & Limiting | Distrotube Reply
Brodie Robertson
37 Ubuntu Linux's Steam Snap Is Almost Stable
Ubuntu Linux's Steam Snap Is Almost Stable
Brodie Robertson
38 Wayland Is Linux's Future, But Why Do I Care?
Wayland Is Linux's Future, But Why Do I Care?
Brodie Robertson
39 John Deere Refuses To Respect Free Software & GPL
John Deere Refuses To Respect Free Software & GPL
Brodie Robertson
40 Why BSD Documentation Is Just Better Than Linux
Why BSD Documentation Is Just Better Than Linux
Brodie Robertson
41 KDE Fixes Discord On Wayland Because Discord Can't
KDE Fixes Discord On Wayland Because Discord Can't
Brodie Robertson
42 Xorg Foundation Has A Serious Problem
Xorg Foundation Has A Serious Problem
Brodie Robertson
43 Manjaro Linux's Biggest Drama That Never Happened
Manjaro Linux's Biggest Drama That Never Happened
Brodie Robertson
44 I'm Leaving Arch Linux For A Better Distro!!
I'm Leaving Arch Linux For A Better Distro!!
Brodie Robertson
45 Red Hat Linux Once Featured A REDNECK Translation
Red Hat Linux Once Featured A REDNECK Translation
Brodie Robertson
46 Android Authority Doesn't Understand Linux or Android
Android Authority Doesn't Understand Linux or Android
Brodie Robertson
47 Switching To Wayland: Why I'm Daily Driving Hyprland
Switching To Wayland: Why I'm Daily Driving Hyprland
Brodie Robertson
48 Private Security Patching Is A Nightmare In Open Source
Private Security Patching Is A Nightmare In Open Source
Brodie Robertson
49 Xorg Vs Wayland Is Just A Technical Detail
Xorg Vs Wayland Is Just A Technical Detail
Brodie Robertson
50 Why Did Fedora Linux Drop Its Wacky Release Names?
Why Did Fedora Linux Drop Its Wacky Release Names?
Brodie Robertson
51 KDE App Theming On Other Desktops Is A Mess
KDE App Theming On Other Desktops Is A Mess
Brodie Robertson
52 Xenocara: That X11 Server That Isn't Xorg
Xenocara: That X11 Server That Isn't Xorg
Brodie Robertson
53 PopOS New COSMIC Desktop Has Me Excited Again!
PopOS New COSMIC Desktop Has Me Excited Again!
Brodie Robertson
54 Hilarious GNOME Archive Bug Finally Gets Addressed
Hilarious GNOME Archive Bug Finally Gets Addressed
Brodie Robertson
55 Rust Foundation Has A Serious Trademark Problem
Rust Foundation Has A Serious Trademark Problem
Brodie Robertson
56 Top 5 Best Hyprland Linux Features
Top 5 Best Hyprland Linux Features
Brodie Robertson
57 Installing Linux Software Is More Confusing Than Ever
Installing Linux Software Is More Confusing Than Ever
Brodie Robertson
58 Clipboard: Simple Unified Linux Clipping Tool
Clipboard: Simple Unified Linux Clipping Tool
Brodie Robertson
59 Solus Linux Returns From The Distro Afterlife
Solus Linux Returns From The Distro Afterlife
Brodie Robertson
60 uBlue Linux: Immutable Fedora With Batteries Included
uBlue Linux: Immutable Fedora With Batteries Included
Brodie Robertson

The GitHub CSS injection exploit was a significant vulnerability that allowed users to inject custom CSS code into their profiles and repos, highlighting the importance of proper user input sanitization and web security measures. This exploit was patched quickly, but it serves as a reminder of the potential risks associated with web development and AI-powered security. To learn from this exploit, viewers should understand the basics of CSS injection, user input sanitization, and Unicode characte

Key Takeaways
  1. Understand the basics of CSS injection and its potential risks
  2. Learn about user input sanitization techniques and their importance in web security
  3. Recognize the potential risks associated with Unicode character rendering
  4. Use HTML, CSS, and JavaScript effectively to prevent CSS injection exploits
  5. Stay up-to-date with the latest web security measures and best practices
💡 Proper user input sanitization is crucial in preventing CSS injection exploits, and web developers should be aware of the potential risks associated with Unicode character rendering and JavaScript sanitization.

Related Reads

Up next
How to Speed Up Your WordPress Website with WP Rocket ⚡Tutorial 2026
Matt Tutorials
Watch →