Recently I was invited to a project on UpWork by someone claiming to have issues running his code. Before he started the contracted, I was invited to a GitHub repository, accepted - and executed the code locally. Nothing looked suspicious, until I dwelled deeper into the code. Lesson learned: never run untrusted code on your machine.
I have a fairly active UpWork profile where I tend to find some interesting projects to work on. I regularly get invited to projects, and was recently invited to a project by someone who claimed to have issues running his code.
The first red flag I skipped was that the work was React related - and I haven’t put React on my UpWork profile (I mostly do Go). I replied that I have some experience with React, but I’m not an expert.
Before starting the contract, client invited me to their GitHub page and asked me to look at the issue they were having. I accepted the invitation and cloned the repository to my local machine. I don’t usually do this (I ask them to start the contract), but quite often I do it to see if the project is something I can work on.
I opened the project in my editor and ran npm install and npm start. I was able to get to the login screen and everything seemed to be working fine. I asked the client to start the contract (as I got the project running) and how to login to the application.
I did notice that user kept their secrets in .env file (which was available in repository) - but I assumed that to be a not uncommon mistake. The potential client never replied, and I moved on to work on something else.
Four days later a GitHub user invited me to his repository. With a short README explaining the issue, from which I realized that I was in for a treat.
This project has a backend that does many things. Among others - it tries to get all Gmail emails and contacts and upload them to a CRM named Keap. Since the project had multiple API keys - I tested them all and the one for Keap was working (AWS, OpenAI and Sendgrid were not). I was able to query Keap and see that my contacts were not in the database.
A lesson learned here is to never run untrusted code on your machine. Obviously I wasn’t the only one targetted by this and UpWork isn’t the only platform where this happens.
For anyone willing to investigate - I cloned the repository and uploaded it to my GitHub. I obfuscated the API keys.