Description

Several members of DexFi's GitHub organization have the "owner" role. Of 10 overall members, 5 are granted ownership. Organization owners have full administrative access to the organization. This level of access is overly broad and excessive, as most organization members only require a smaller breadth and depth of permissions to function. Granting members ownership should be reserved for true owners who require full access, or for ensuring ownership continuity by adding an additional owner if there is only one as recommended by GitHub.

Impact

Members with ownership over the organization can control any administrative settings, which diminishes the value of any properly configured security setting. In addition to an employee with ownership using ownership permissions to non-maliciously bypass operational security practices, the breach of an employee's account or an insider threat incident could have severe consequences, including modifying/deleting code or accessing secrets which would allow further damage across additional services.

Recommendations

The principle of least privilege should be followed when configuring organization access. If a user does not require certain permissions to complete their designated tasks, then they should not be given those permissions. If user's do need organization ownership to complete their tasks, then other authorization recalibrations should be made so that such broad permissions are no longer required. All users should be assessed to determine which permissions are necessary and have their roles updated to only include those that are necessary.

Remediation

DexFi has acknowledged this issue and stated the following:

All members of the DexFi GitHub organization have had the "owner" role removed, except for the DexFi admin account. Furthermore, all GitHub users in the organization are now required to have 2FA (two-factor authentication) enabled, in accordance with the findings from the security audit.