Critical security vulnerabilities in Git-related projects, including GitHub Desktop, Git Credential Manager, Git LFS, and GitHub Codespaces, were recently uncovered and involved improper handling of text-based protocols, allowing attackers to potentially leak user credentials.
This discovery highlights significant risks in software security, particularly in credential management mechanisms.
Git uses the Git Credential Protocol to retrieve credentials from a credential helper, which stores and provides them (e.g., git-credential-store, git-credential-winstore, git-credential-osxkeychain). Improper message handling has led to vulnerabilities and potential credential leaks in many projects.
Git communicates with the credential helper by…