Slashdot Mirror

← Back to Stories (view on slashdot.org)

GitHub Hacked

Posted by samzenpus on from the crack-in-the-wall dept.

MrSeb writes "Over the weekend, developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others. GitHub uses the Ruby on Rails application framework, and Rails has been weak to what's known as a mass-assignment vulnerability for years. Basically, Homakov exploited this vulnerability to add his public key to the Rails project on GitHub, which then meant that GitHub identified him as an administrator of the project. From here, he could effectively do anything, including deleting the entire project from the web; instead, he posted a fairly comical commit. GitHub summarily suspended Homakov, fixed the hole, and, after 'reviewing his activity,' he has been reinstated. Homakov could've gained administrative access to the master branch of any project on GitHub and deleted the history, committed junk, or closed or opened tracker tickets."

10 of 202 comments (clear)

  1. That's what you get by For+a+Free+Internet · · Score: 5, Funny

    That's what you get when you allow Italians like this guy on America's internet. Don't say I didn't warn you.

    The remedy is that we all need to be more proactive about patronizing Wisconsin cheese and California wine.

    --
    UNITE with the Campaign for a Free Internet because today, our future begins with tomorrow!
    1. Re:That's what you get by dunkelfalke · · Score: 5, Funny

      Dude, it is far worse than you imagine. The guy is obviously Russian. The Russians are coming!

      --
      "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
  2. GitHub hacked by Anonymous Coward · · Score: 0, Funny

    So, somebody hacked into a computer system to gain access to open source software. Brilliant.

  3. I felt a great disturbance in the Force by Anonymous Coward · · Score: 5, Funny

    ...as if millions of voices suddenly cried out from coffee shops in terror and were suddenly pwned. I fear something terrible, and totally predictable, has happened.

    Just wait a few years, Ruby on fails will strike back!

  4. Re:The response of 99.9% of humanity: by project5117 · · Score: 5, Funny

    This is Slashdot, the 99.9% doesn't come here

    Slashdot, home of the 0.1%.

  5. Re:Linux security or trust by pankkake · · Score: 4, Funny

    Thankfully, no serious projects are hosted on GitHub.

    --
    Kill all hipsters.
  6. No, that's what you get for using a dying language by Barbara,+not+Barbie · · Score: 5, Funny
    ... among other things.

    Ruby on Rails - the perfect blend of poor performance (Ruby) and gaping holes (Rails).

    --
    Let's call it what it is, Anti-Social Media.
  7. irresponsible by rilian4 · · Score: 1, Funny

    Why do people who gain such knowledge insist on pulling this kind of crap. Why not just attempt to disclose the bug to the site owners and let them fix it. If they refuse, post the info publicly to force their hand. Defacing a project on the site is like a 3 year finding a crayon and looking up and seeing that there's a wall to draw on.

    --

    ...quicker, easier, more seductive the darkside is...but more powerful, it is not.
  8. Re:PHP by DarwinSurvivor · · Score: 4, Funny

    I'm fairly certain the amount of PHP in your standard Ruby on Rails installation is relatively minor.

  9. Re:Linux? Since when? by Wraithlyn · · Score: 1, Funny

    Couldn't resist

    --
    "Mind, as manifested by the capacity to make choices, is to some extent present in every electron." -Freeman Dyson