Checking the listed impacted web hooks I noticed that no repo's listed twice, even though some have multiple hooks defined... That makes me think the report may have a bug.
Also, many of the listed hooks show as `This hook has never been triggered`; which if correct means it wouldn't have had an issue as the compromised payload's never been sent to it.
I'll write a powershell script (well, AI will write it and then I'll tweak) to help check which webhooks have been called in this time window (or at least, say they were most recently triggered after the issue first began) to help get a more accurate report of what's concerning. If that proves useful, I'll share here.
Powershell Script to get all webhooks that have actually run (we can't filter by date; but this may wipe out a significant number):
# Authenticate via `gh auth login -s admin:enterprise` before running this script
# Save this script as c:\\temp\GHWebookAudit.ps1; then navigate to c:\\temp\ and invoke via `.\GHWebookAudit.ps1 -Orgs @("MyExampleOrg", "MyOtherExampleOrg") -InformationAction Continue`
[CmdletBinding()]
Param (
[Parameter(Mandatory)]
[string[]]$Orgs
)
$results = foreach ($org in $Orgs) {
Write-Information "Fetching ALL repositories for org [$org]..."
# gh api --paginate fetches every page and outputs a stream of JSON arrays
# We use -Raw to ensure we capture the full stream before converting
$reposJson = gh api --paginate "orgs/$org/repos?per_page=1000"
# ConvertFrom-Json can handle multiple JSON arrays in the stream
$repos = $reposJson | ConvertFrom-Json
# Sometimes the pagination returns a single array or a list of arrays;
# Ensure we are iterating over the objects themselves.
$repoList = if ($repos.GetType().IsArray -and $repos[0].GetType().IsArray) {
$repos | ForEach-Object { $_ }
} else {
$repos
}
Write-Information "Found $($repoList.Count) repositories. Starting audit..."
foreach ($repoObj in $repoList) {
$repoName = $repoObj.name
$fullRepo = "$org/$repoName"
Write-Information "Checking: $fullRepo"
# Get all hooks for the repository
$hooksJson = gh api "repos/$fullRepo/hooks" 2>$null
if (-not $hooksJson) { continue }
$hooks = $hooksJson | ConvertFrom-Json
foreach ($hook in $hooks) {
$hookId = $hook.id
$hookUrl = $hook.config.url
# Get the most recent delivery... we could pontentially check for activity between the impacted dates, but that would need additional filters/commplexity; for now keeping it relatively simple
# correction: this only goes back 3 days; so doesn't work... https://docs.github.com/en/webhooks/testing-and-troubleshooting-webhooks/viewing-webhook-deliveries
# # $deliveriesJson = gh api "repos/$fullRepo/hooks/$hookId/deliveries" --limit 1 2>$null
# instead use th eexisting hook response's last response status just to say if it has run; though that doesn't say when
# Extract last response details
$lastStatus = $hook.last_response.status
$lastCode = $hook.last_response.code
$hasEverRun = ($lastStatus -eq 'active') # active vs unused
[PSCustomObject]@{
Organization = $org
Repository = $repoName
HookID = $hookId
Active = $hook.active
URL = $hookUrl
HasEverRun = $hasEverRun
LastStatus = $lastStatus
LastHTTPCode = $lastCode
UpdatedAt = $hook.updated_at
}
}
}
}
# Final Output
if ($results.Count) {
$results | Export-Csv -Path "./Full_Webhook_Audit_Report.csv" -NoTypeInformation
Write-Information "Audit complete! $($results.Count) hooks found. Results saved to Full_Webhook_Audit_Report.csv"
} else {
Write-Information "No webhooks found across the organizations."
}
Filter for `HasEverRun=true`; if it's not run, the secrets can't have been exposed.
Review the URL; this says who you're calling. Purists would say that if you've called any endpoints there's a risk. However for most companies I'd say you can trust services provided by folk like Microsoft (they host GitHub anyway) and Snyk (if you're relying on them for security scanning, you should be able to trust them), so if you see webhooks to Azure DevOps (dev.azure.com) or to Snyk (api.snyk.io) you can assume that anything exposed there isn't a concern.
You don't need to worry about proxys on egress - since this is GitHub Cloud, so calls egress from GitHub rather than through your own network.
So the only concerns would be in house or third party developed endpoints where you feel those companies (/their employees who have access to their ingress logs) may be a risk.
Great point... On Sword and Laser (a book club/podcast) the idea of different types of reader is often discussed; i.e. what's the main driver behind liking a book:
- Plot
- World Building
- Character
- etc (There's a specific list mentioned, but I can't recall it)
That's the simpler classification side of things, so easier to code up... Your example of the canoe trip would be significanlty more complex; but definitely more a scenario worthy of AI over basic heuristics... and something that would need a conversation to drill down into (i.e. did the story evoke the scenery of their trip, or was it reflecting the relationship between the people, etc).
I don't have the data to comment on whether it was better before or after MS acquisition, but would suggest this isn't the best sample size to base any conclusions on.
It seems several people have encountered the same issues in the past week, after not seeing anything before. Sharing here as likely others are having the issue but haven't gone to the forums / maybe other Android users who aren't on FairPhones are also impacted by the issue.
Error message
Android Recovery
Fairphone/FP3/FP3
11/8901.4.A.0017.3/gms-15368f27
user/release-keys
Use volume up/down and power.
Cannot load Android system. Your data may be corrupt. If
you continue to get this message, you may need to perform
a factory data reset and erase all user data stored on this
device.
Try agian
Factory data reset
I thought sharing here may aid discovery / if we can collect data from those hitting this issue maybe we can more easily identify the underlying cause.
Checking the listed impacted web hooks I noticed that no repo's listed twice, even though some have multiple hooks defined... That makes me think the report may have a bug.
Also, many of the listed hooks show as `This hook has never been triggered`; which if correct means it wouldn't have had an issue as the compromised payload's never been sent to it.
I'll write a powershell script (well, AI will write it and then I'll tweak) to help check which webhooks have been called in this time window (or at least, say they were most recently triggered after the issue first began) to help get a more accurate report of what's concerning. If that proves useful, I'll share here.