Slashdot Mirror
GitHub Hacked
MrSeb writes "Over the weekend, developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others. GitHub uses the Ruby on Rails application framework, and Rails has been weak to what's known as a mass-assignment vulnerability for years. Basically, Homakov exploited this vulnerability to add his public key to the Rails project on GitHub, which then meant that GitHub identified him as an administrator of the project. From here, he could effectively do anything, including deleting the entire project from the web; instead, he posted a fairly comical commit. GitHub summarily suspended Homakov, fixed the hole, and, after 'reviewing his activity,' he has been reinstated. Homakov could've gained administrative access to the master branch of any project on GitHub and deleted the history, committed junk, or closed or opened tracker tickets."
That's what you get when you allow Italians like this guy on America's internet. Don't say I didn't warn you.
The remedy is that we all need to be more proactive about patronizing Wisconsin cheese and California wine.
UNITE with the Campaign for a Free Internet because today, our future begins with tomorrow!
Oh wait.. this is an open source community that understood what his intentions where and didn't have a knee jerk reaction. What I guess intelligence trumps mass panic and ignorance.
So, somebody hacked into a computer system to gain access to open source software. Brilliant.
Well this is an ironic situation. Good thing he had good intentions lol. I find it funny that since this guy hacked github and they fixed it. But seriously, shouldn't people hire hackers like him to make projects move faster ? l Sincerely believe that if they "work" together, projects would move faster for sure lol.
...to never use Ruby on Rails or trust any developer who uses it. Such a horrid framework backed by the most elitist pricks I've ever seen. I'm glad they got hacked. The more negative press they get to better. Kick those faux devs out on to the street.
To those Mac fanboys out there who think they are "developers". Grow up, use a real OS, and use a real goddamn language and framework.
Also, GitHub sucks. This should be obvious by their choice of framework to run their site.
This lowers the trust of the Linux source a notch. Who can really go over every line of code in the source to make sure someone hasn't already snuck in something malicious years ago?
Although the advantage of open source is that more eyes can go over it.
I think it's time to think about repository for strategic software, like Linux, GCC and so on.
Such a hacking can compromise a large part of the internet. Because someone can introduce backdoors, the nasty ones I mean, so deep to evade any check.
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
Fortunately, git is a distributed version control system, meaning that, usually, there is a copy of the sources and history information elsewhere.
If Pandora's box is destined to be opened, *I* want to be the one to open it.
...as if millions of voices suddenly cried out from coffee shops in terror and were suddenly pwned. I fear something terrible, and totally predictable, has happened.
Just wait a few years, Ruby on fails will strike back!
In a related story, the sun rose in the east today.
he could have added a one character integer overflow to net/ipv4/tcp_input.c
What's GitHub?
This guy is very good example of what the real hacker is, and what they should be. Kudos man.
The word means what it means now. Sorry. Hacking and cracking are the same thing now. The words meaning has changed. You can thank 30 years of Hollywood movies and 24 hour news for that.
The 'maker' community really shows more what 'hacker' used to mean. You can still use 'that is a cool hack'. But hack, that even has changed to mean 'quick and dirty will probably break at some point'. If one of my co-workers say to me 'i hacked this together' it is usually followed quickly by 'it will probably break'.
You are going to have to let it go, or change hollywoods mindeset and all the news networks mindset in using the 'proper' word (good luck with that).
Words change. Either move on with everyone else or be left behind.
Your choice.
Gone!
In this situation, the term hacking is the correct usage of the term. As per your posted link,
"Hackers will sometimes do questionable legal things, such as breaking into systems, but they generally will not cause harm once they break in."
Homakov only made superficial changes to allow him to commit a snide remark to illustrate and publicize the inherent weakness in a cloud storage system used by many independent developers and commercial entities.
In almost any other situation I would side with you on the horrible misuse/overuse of the term "hacking".
That could've gone a lot worse...and to think many stupid countries are trying to make such benevolent activities illegal.
"When information is power, privacy is freedom" - Jah-Wren Ryel
These days the only way to get some guys to fix their code is to pwn it.
Whoa, whoa, someone really goes on a tangent there! You're saying that if there's for example a security vulnerability in e.g. Spotify I can just go around saying it just proves how insecure whole Windows is?
No, this isn't a security vulnerability in Linux, this was a vulnerability on Github's Ruby on rails - installation, nothing more. Ruby on rails is useable on multiple platforms, too, so this would have been just as big a security issue if they ran it on Windows.
Geesh, you ACs and your ignorant comments..
the inherent weakness in a cloud storage system
You may want to look at what he actually did. The problem is people who don't understand "mass assignment protection" dumping rails apps on the internet with CRUD functionality and "sensitive" portions of the data.
There's an inherent conflict between just being able to scaffold something up "instantly" and keeping certain attributes locked away from the average users, and this inherent conflict has never been decisively resolved. Any time you have a tool that makes it easy to CRUD, you're going to end up with people going too far and not protecting anything. Going crazy and locking it down is just going to make the 99% of users who don't need it fork, and the 1% who do need it only putting in enough effort to re-open it.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
https://github.com/rails/rails/issues/5228
is a very sad thing to read. basically, he reported this really awful default behavior days ago, and got brushed off by rails maintainers.
I choose left behind.
Apparently GitHub's own admin isn't "pro" enough...
I care.
I host projects on github. I'm glad someone like him figured it out in a decent way instead of some scumbag criminal.
Matt Damon
duuuuude, wrong thread
"To use the find_mass_assignment plugin, simply install it from GitHub as follows:"
lol.
Aliens.
Fortunately, GIT itself, which is a replicated central code revision system, isn't vulnerable to single point repository attack. Thus, he could've injected something, but *any* of the developers would've noticed when they tried to sync local and remote repos. (In fact, this is probably how his commit was discovered.)
So, for all you worry-worts complaining about possible code injections into src, there shouldn't be anything to worry about.
Dafenatily.
Not with git.
Git is designed from start make any such messing with the source code instantly evident. That's because every developer has a full copy of the source code _and_ history, cryptographically signed. So if anybody changed a comma in any file it will be _immediately_ evident. Much more than a red cloud around you in a public pool. It also makes losing the history of the code virtually impossible (I mean git, not the red stuff around you).
At this point this is practically a troll.
The battle is over and we lost. Insisting on differentiating between hacking and cracking is just silly now. The word never caught on and never will.
It is not troll. A spade is always a spade, whatever else you may want to call it.
There are 2 types of people in the world - those who understand decimal and those who don't.
Ruby on Rails - the perfect blend of poor performance (Ruby) and gaping holes (Rails).
Let's call it what it is, Anti-Social Media.
OK, the blog is slashdot'd at the moment, but lets see if I have this right. Basically, you take an active record and just copy values from the POST data into it and then save it ... and this is the default behaviour? Do I have that right because, is so .... .... dear god, what were the ruby-on-rails people smoking when they thought that was a clever idea, its puts ROR on a level with PHP and its magic global variables. Note only that, but what were the github people smoking, the same? Using an insane facility is doubly insane.
Methinks a lot of people need to go and read some web design stuff and realise that active records (or models - django users take not) are not synonymous with the "Model" (business logic) in MVC.
But Ruby is just so much more...PRODUCTIVE! Once again we learn the error of trusting Ruby scripters with the security of our systems.
"Over the weekend, developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others.
Linux??? Can we mod summary as troll? Linux has its origin repository in kernel.org and is distributed over cloned repositories all over the world including my laptop. One can't simply inject a commit into one of those repositories (such as github) and expect it to automatically propagate into kernel.org.
Furthermore, even if you manage to inject a commit into some random project at Github, high are the chances that it would be detected by another developer. Who commits to a repository without reading the commit history?
Now, this Rails vulnerability is rather serious and deserves attention but this article is just plain FUD against github. Congratulations!
At least the message was understood loud and clear... It took a couple of hours and a commit to Rails was made to change the default: https://github.com/rails/rails/commit/641a4f62405cc2765424320932902ed8076b5d38
Peter, APK, my love,
You forgot to sign your incoherent rant, that's unusual, especially as per you vs. your mad yourself
Your Precious
http://youtu.be/5NNOrp_83RU
Always?
-1 overrated isn't the same thing as "I disagree".
People are playing apologists for RoR, all singing together: "nothing to see here, thanks to Git Linux (and all the other projects hosted here) shall not get pwned".
Now I agree with the Git part, and that is a very good thing that any wannabe hacker trying to inject a backdoor by modifying Linux shall be caught near-instantly thanks to Git's (very secure) nature.
But shouldn't all these apologists step back a bit and admit that there's a very serious issue here: RoR's security model full of holes?
Like... RoR. Exploit. Anyone?
Touché! :-)
There are 2 types of people in the world - those who understand decimal and those who don't.
Everytime a PHP story is posted, the rail fans rant about PHP's insecurity... yet here a massive flaw in rails basic design has rendered every single rails project out there vulnerable... wonder if the rail fans will acknowledge this massive failure AND the rail team slow response to this in the future. Doubt it.
But don't worry. I will remind them ;)
The lesson here? Never claim your project is more secure because someone somewhere is browsing your root directory right now.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Why do people who gain such knowledge insist on pulling this kind of crap. Why not just attempt to disclose the bug to the site owners and let them fix it. If they refuse, post the info publicly to force their hand. Defacing a project on the site is like a 3 year finding a crayon and looking up and seeing that there's a wall to draw on.
...quicker, easier, more seductive the darkside is...but more powerful, it is not.
I'm told you can find lots of low performance and gaping holes in Las Vegas, too.
I know it's not that commonly used by webapps but 15 years or so there have been extensive explanation as to how you could cryptographically sign every single POST request so that: a) fixed input parameters could not be modified b) no additional parameters could be added to the POST and c) restriction could be put on what 'user supplied' input parameters could contain.
Are the RoR developers *that* clueless?
Their off topic illogical trolling only proves your points even more APK (with their weak mod downs too), rest assured on that account.
When did Microsoft and Oracle start doing Open Source maintenance? Or did the GitHub team download their development principles and follow those instead of doing security reviews?
Both Microsoft and Oracle are notorious for leaving reported bugs open for years unless someone demonstrates an effective exploit using the bug. But historically, Open Source projects have taken such risks seriously and closed the holes long before an exploit showed up.
To me, that "constant maintenance" aspect of open source is it's biggest selling point compared to closed-source products. Not only can people review code and find weaknesses, they can either fix them or submit them as bugs for a project, secure in the knowledge that it will be dealt with.
Apparently that's not the case with all OSS projects. And that's a shame -- because aside from vendor lock-in, this has always been one of the most important "features" that the OSS cognoscenti have preached.
I consider the application of timely repairs and updates so important to security that I built a system whose primary purpose is not to develop initial core application code, but to apply such fixes to all projects under maintenance!
I do not fail; I succeed at finding out what does not work.
like facebook? hardly anyone uses that piece of crap.
http://soylentnews.org/~tibman
This guy should be given a medal. It's not often people will take personal risks for the greater good. Even some of those his actions were to benefit the most aren't properly thankful. I tip my hat to you sir.
And next we're taking back porch monkey.
And Those homosexuals have no right to use the word gay.
And what's with spam protection? I don't need protect'n from no meat in a can, thank you.
Does no one understands how language works? First meaning only! It's been that way since the beginning of time! Why are you all looking at me as if I'm ignorant?
Steve? Is that you? You know when you wave your arms and dance like a monkey people laugh at you!
I want this account deleted.
I'm fairly certain the amount of PHP in your standard Ruby on Rails installation is relatively minor.
This isn't actually a hole in rails.. If you use mass assignment, you need to protect attributes you don't want assigned with attr_protected on your model.
:password => 'hacked'})
:password
If you don't want people to do this:
@user.update_attributes({:favorite_color => 'blue',
You need to do this:
class User < ActiveRecord::Base
attr_protected
end
Here (proving his points for him, since you resort to that) -> http://it.slashdot.org/comments.pl?sid=2707867&cid=39250601
hardly anyone uses that piece of crap
Half right
/ducks
Please respect this, once and for all, when posting stuff like this: "Hacking" is NOT "Cracking"!
http://www.geek.com/forums/topic/hacking-and-cracking
Are you on Hack-cocaine?
from https://github.com/rails/rails/issues/5239
I'm Bender from Future
ALL UR ISSUES ARE BELONG TO US
geez. github y u SO open?
...made my day.
To calm any fears that no rogue commits have been added as a result of this hack?
Is git log enough and looking at the last datetime stamp?
Git was written by Linus - the inventor of Lunix. It's a fact that Microsoft Windows is 67% more secure than Lunix which is why do many of my clients gave up on their forays in to Lunix. Yesterday I wiped my last installation of Lunix from my computer. Within 37 hours I was happily running Windows 7, and my glout cleared up. Coincidence? I think not.
Want to stick with Lunix! I'll be by my loving God's side, laughing at you as you burn in Hell. Wait, is this thing on?
must have emerge world and it updated rails config files /ducks
Couldn't resist
"Mind, as manifested by the capacity to make choices, is to some extent present in every electron." -Freeman Dyson
Have you heard the stories about what a huge clusterfuck the Facebook code is?
I am not devoid of humor.
While it's true that it was sloppy coding, it is also true that the default is not really safe - and it probably should be.
They're still trying to hide your posts apk via moddowns with no computer-based technical information to justify the downmod. They're pitiful. All they have is their off-topic illogical "comebacks" vs. facts you posted. This is how you know you beat the hell out of them once again as usual.
They're still trying to hide your posts apk via moddowns with no computer-based technical information to justify the downmod. They're pitiful chumps. All the Penguins have is their off-topic illogical "comebacks" vs. facts you posted. This is how you know you beat the hell out of them once again as usual.
Like continuing trying to hide your posts apk via moddowns with no computer-based technical information to justify the downmod. They're pitiful and this evidences it. All they have is their off-topic illogical "comebacks" vs. facts you posted. This is how you know you beat the hell out of them once again as usual.
In defense of Rails, this isn't a bug, vulnerability, exploit or weakness of RoR its self. The "update_attributes" functionality on a model (which writes new values to a database row) has to be used very carefully. Anybody worth their salt with RoR should know that. If you blindly pass a unsanitized/unfiltered hash directly from the submission from a user to update_attributes, you are definitely asking for trouble and/or are lazy/ignorant at best, imho.
That pretty much summarizes it :P quite funny also, thank you!
Internet hacks YOU!
Have you ever considered being ontopic instead of being a troll?
This isn't actually a hole in rails.. If you use mass assignment,[...]
No. The problem is that any idiot who thinks he doesn't need to sanitise user input is going to get fucked.
And did.
Watch this Heartland Institute video
It is not troll. A spade is always a spade, whatever else you may want to call it.
And in the US most people will look at you funny and then hand you a shovel .
The definition of "hacker" and "cracker" you are referring to has been deprecated by Pop Culture and language shift. Just as the word "gay" no longer means "happy and carefree", and (at least in the US) the term "faggot" no longer refers to a small stick of wood.
A "cracker" is one of the following, in modern language:
1. A type of bread product.
2. A racial slur for a white person
3. A person who breaks into, i.e. 'cracks', safes or vaults.
A "hacker" is a person who perpetrates computer break-ins. The word comes with a negative connotation, if you want to refer to the older definition of "hacker" you have to qualify it or use a different term such as "Security Researcher".
Get with it, or get left behind.
I've been spending too much time on Reddit, where 70% of communication is done with memes. (The rest are puns)
"Mind, as manifested by the capacity to make choices, is to some extent present in every electron." -Freeman Dyson
So if he just told the model that this is a protected attribute, he would have been fine... Its not hard to do this and its a bug like any other bug, not some systematic problem with Rails itself.
So, you'd rather go with a system that uses fail-deadly than fail-safe.
Ok.
Watch this Heartland Institute video
Based on TFA I thought the hack was more about a default flaw with Ruby on Rails key signing, not anything that was specific to github.
Because of its distributed and decentralized nature, it would be very difficult to sneak any changes into a project or its history undetected. Every other copy of the project repo will begin screaming "foul play" when their developers try to sync.
The real question is whether other more nefarious individuals preceded him undetected.