Jaroslav Lobačevski 🇺🇦 🇱🇹

@[email protected]
54 Followers
84 Following
17 Posts
OpenAI (Open-source Application Insecurity) Researcher at GitHub Security Lab. Opinions are my own. Russian warship go http://f.ck yourself.
Jaroslav Lobačevski 🇺🇦 🇱🇹4d ago
Stay tuned... https://signal.org/security/
Security

Acknowledging those who help keep Signal safe and secure for everyone by sharing their security-related findings with us so we can improve the safety and security of Signal's software.

Signal Messenger
Jaroslav Lobačevski 🇺🇦 🇱🇹Mar 18, 2025
I have a feeling CVE-2025-30066 could have been prevented if the "tj-actions/changed-files" had the repository tag protection setting and the stolen PAT wasn't overprivileged.
Jaroslav Lobačevski 🇺🇦 🇱🇹Mar 4, 2025
Microsoft Edge is missing an opportunity here. Just keep V2 manifest support and get all uBlock Origin
users fleeing Chrome
https://news.ycombinator.com/item?id=43201974
Microsoft begins turning off uBlock Origin and other extensions in Edge | Hacker News

Jaroslav Lobačevski 🇺🇦 🇱🇹Jul 16, 2024

I’ve released a new version of the GitHub Actions Permissions monitor. Say goodbye to the annoying “certificate validation” errors of the previous version! Quick info on how it works and what’s new.

The monitor action (https://gh.io/actions-permissions) installs a local @mitmproxy in the actions runner. During a regular run the proxy intercepts outgoing requests looking for the GITHUB_TOKEN and maps the requests to the permissions required to these operations.

This allows you to identify the actually used permissions from multiple runs and restrict your GitHub actions usage to the minimal required permissions.

In order to intercept the traffic, the monitor uses a self signed certificate. Some programs use their own certificate stores and don't recognize the certificate, causing “certificate validation” errors. I was fixing it case by case, but it reminded me of a whack-a-mole game.

The new version uses the `allow_host` feature of @mitmproxy to inject only the requests to GitHub. Actions usually use Curl, JavaScript or GitHub CLI to call GitHub API. These scenarios work well with the custom certificate.

So the permissions monitor is more precise and reliable now, intercepting only GitHub API requests to help you set your permissions correctly. Please give it a try to make your workflows more secure!

GitHub - GitHubSecurityLab/actions-permissions: GitHub token permissions Monitor and Advisor actions

GitHub token permissions Monitor and Advisor actions - GitHubSecurityLab/actions-permissions

GitHub
Jaroslav Lobačevski 🇺🇦 🇱🇹Jul 6, 2024
Youtube-dl and yt-dlp arbitrary file write when downloading video from attacker's site. It is a weird case when the same CVE-2024-38519 was assigned to similar but different apps. Well, it is me to blame in the first place to tune the PoC to work on both of them... https://securitylab.github.com/advisories/GHSL-2024-089_youtube-dl/
GHSL-2024-089: Path traversal in youtube-dl leading to RCE - CVE-2024-38519

youtube-dl doesn’t validate the subtitle extension name, which makes its Windows users vulnerable to path traversal and allows for arbitrary binary file overwrite when downloading a video with subtitles from a crafted link.

GitHub Security Lab
Jaroslav Lobačevski 🇺🇦 🇱🇹Dec 5, 2023
q3k Dec 5, 2023

I can finally reveal some research I've been involved with over the past year or so.

We (@redford, @mrtick and I) have reverse engineered the PLC code of NEWAG Impuls EMUs. These trains were locking up for arbitrary reasons after being serviced at third-party workshops. The manufacturer argued that this was because of malpractice by these workshops, and that they should be serviced by them instead of third parties.

1/4

Jaroslav Lobačevski 🇺🇦 🇱🇹Aug 21, 2023
It makes me sad as I am Notepad++ user myself. https://securitylab.github.com/advisories/GHSL-2023-092_Notepad__/
GHSL-2023-112, GHSL-2023-102, GHSL-2023-103, GHSL-2023-092: Buffer Overflows in Notepad++ - CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166

Multiple memory safety violations in Notepad++ opening a crafted file.

GitHub Security Lab
Jaroslav Lobačevski 🇺🇦 🇱🇹Aug 13, 2023
Tony TorralbaJul 27, 2023

I enjoyed finding this vulnerability quite a lot, since it required really diving into the code to see what was happening! Also, quite fast response from the maintainers, which is uncommon :)

https://securitylab.github.com/advisories/GHSL-2023-143_GHSL-2023-144_OpenAM/

GHSL-2023-143_GHSL-2023-144: SAML signature validation bypass in OpenAM - CVE-2023-37471

Attackers can use an improper SAML signature validation to impersonate any OpenAM user, including the administrator.

GitHub Security Lab
Jaroslav Lobačevski 🇺🇦 🇱🇹Aug 13, 2023
pwntesterAug 4, 2023
Phising for vulnerabilities at scale is easy with CodeQL and MRVA. Learn more about MRVA from @maikypedia in his blog post https://maikypedia.gitlab.io/posts/finding-vulns-with-mrva-codeql/ Prefer the CLI? I got you covered https://github.com/GitHubSecurityLab/gh-mrva
Finding Vulnerabilities with MRVA CodeQL

Finding Vulnerabilities with MRVA CodeQL [*] INDEX: What is MRVA? MRVA vs CodeQL suites How to setup MRVA Download CodeQL extension in VSCode Configure our Github controller Code Search tools Fishing with MRVA 🎣 Server Side Template Injection (Ruby) Unsafe Deserialization (Python) 1- What is MRVA? Is known by everyone the power of CodeQL, analyzing a repository with a single click, but with MRVA security researchers have a new way to perform security research across GitHub.

Maikypedia
Jaroslav Lobačevski 🇺🇦 🇱🇹Jun 28, 2023
David GardinerJun 28, 2023

Been waiting for this. Planning to add this to all my GitHub Action workflows to identify minimum permission required.

https://github.blog/2023-06-26-new-tool-to-secure-your-github-actions/ #GitHubActions

New tool to secure your GitHub Actions - The GitHub Blog

Introducing a new tool to monitor and control the permissions of the repository token for GitHub Actions.

The GitHub Blog