Grey Wizard
Grey Wizard

Git hacking

Git - a version control system. It has plenty of functions which can be used for unethical purposes as well.

History edition

History edition is a very useful function in terms of cybersecurity. Let us imagine the following situation – the Internet website was extended by one person; a repository was kept in a git. Although it is regarded as a negative practice, passwords were kept in the repository. The design was expanded; another person joined to help. In such a situation, keeping passwords in a repository (e.g. for Amazon services) seems to be extremely irresponsible. Of course, passwords may be deleted and a new repository may be created without them but it deletes the history of changes. In such a case we can make use of a git. The script below will delete 'passwords.txt` file from the history:

# a file which we want to delete from the history
# commita identifier from which we edit the history, in this case this will be the first commit
FIRST_COMMIT=$(git rev-list HEAD | tail -n 1)
# local clearing of the history

git filter-branch -- index-filter 'git rm -- cached -- ignore-unmatch ${UNSAFE_FILE}'
git push -- force

Apart from deleting sensitive data from a repository, it is also possible to delete key files. It is worth blocking a possibility of executing a command git push with a flag --force.

Publishing changes on behalf of a colleague

Another interesting function of a git is the possibility of publishing changes as any person. It is easy to imagine a prospective joke with a project which the entire team works on. How to make such an attack? Firstly, we have to obtain our colleague's e-mail address and name. With access to the victim's computer, we obtain such data by means of commands:

  • git config
  • git config

But in this case we have no access to the victim's computer – only access to a repository. All these data are contained in the repository so it is enough to know an appropriate command:

git log

Using a switch -- author it is possible to narrow the list of displayed results, for example:

git log -- author="jane"

The execution of git log command will result in the displaying of a list of commits in the following form:

commit e5f70869bbb5914cf8836829d30ac8187bcb774b
Author: jdoe <>
Date: Fri Mar 10 10:13:56 2017 +0100

  Update README.txt

Now, we have all data necessary for performing an attack. Let us analyse the script below:


OLD_GIT_NAME=$(git config
OLD_GIT_EMAIL=$(git config

git config ${TMP_GIT_NAME}
git config ${TMP_GIT_EMAIL}
git add .
git commit -m "My important changes"
git push
git config ${OLD_GIT_NAME}
git config ${OLD_GIT_EMAIL}

Two first lines are the definition of variables which correspond to the settings of personal information of the attack's victim. Two subsequent lines are loading current git settings, then we have settings substitution with the victim's data, publishing changes and finally restoring initial data. An attack is extremely simple and does not require any particular knowledge; it does not require any specialist tools.

Attack possibility

An attacker which had access to a repository may, in the above manner, introduce its own backdoor to the code without arousing suspiciousness of the team working on the project, in effect taking over access to the production machine.

Signing commits with a GPG key

In order to secure against such an attack, it is necessary to sign commits with a GPG key. A commit signed with an incorrect key will be marked appropriately, e.g. on Github.

Changing the author of the existing commits.

Git allows not only for publishing changes on behalf of a colleague but it also allows for becoming the author of colleague's changes which were previously published. We prepare a script ~/ and we paste the following code:

git filter-branch -- env-filter '
' -- tag-name- filter cat -- -- branches -- tags
The substitution of an author will now consist in the execution of the following commands:
git clone -- bare
cd repo.git
git push -- force -- tags origin 'refs/heads/*'

In order to protect against an attack we should use protected branches on Github.

Andrzej Prałat
Grey Wizard

For media

Provide us with contact details.

Thank you