GitHub Hacked

MrSeb writes "Over the weekend, developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others. GitHub uses the Ruby on Rails application framework, and Rails has been weak to what's known as a mass-assignment vulnerability for years. Basically, Homakov exploited this vulnerability to add his public key to the Rails project on GitHub, which then meant that GitHub identified him as an administrator of the project. From here, he could effectively do anything, including deleting the entire project from the web; instead, he posted a fairly comical commit. GitHub summarily suspended Homakov, fixed the hole, and, after 'reviewing his activity,' he has been reinstated. Homakov could've gained administrative access to the master branch of any project on GitHub and deleted the history, committed junk, or closed or opened tracker tickets."

Re:GitHub hacked

[larry+bagina]

github paid accounts can have private repositories.

Re:Nice hacker

[vlm]

I find it funny that since this guy hacked github

See that's the problem. He didn't hack github. There is a wide open door in scaffolded rails apps. I am somewhat involved in rails development and even I know this, but "most people don't care". The problem in as few words as possible is a lack of input sanitation and/or more or less is the equivalent of allowing SQL injection. Makes for easy scaffolding and rollout. All you need to do is tell rails which attributes people should and should not be able to F with, which is trivially easy and impossible to default without turning rails into a fully cognitive AI system smarter than the programmers who refuse to declare which attributes are sensitive and which are not....

The phrases you don't know to google for are "mass assignment protection" and attr_accessible and attr_protected

http://enlightsolutions.com/articles/whats-new-in-edge-scoped-mass-assignment-in-rails-3-1

Re:Real Hacker

Yes. Just yes.

He did a. They ignored him.

He did b, too. He filed a ticket. The ticket got closed, just like that.

He could've just done nothing and waited for someone to mess up Github. Instead he shouted louder.

More props to this guy.

And btw his Octocat tattoo is henna (meaning fake, not a real tatttoo), to all you attention-deficit idiots.

Re:Real Hacker

[Anrego]

Except he did both a and b, and they basically told him to go pound sand.

c. Demonstrate the vulnerability in a somewhat childish yet harmless and hilarious manner. Give everyone a good laugh, raise more awareness of the issue, and give the rails yet more security related black eyes!

Seems reasonable enough to me!

Re:Linux security or trust

[TheRaven64]

That's idiocy on the part of the submitter. Linux is mirrored on github, and it was the authoritative repository for a while after kernel.org was hacked, but now it is not the authoritative repository and patches from there will not be pulled into the official tree unchecked.

He got the results he wanted

[Tchaik]

At least the message was understood loud and clear... It took a couple of hours and a commit to Rails was made to change the default: https://github.com/rails/rails/commit/641a4f62405cc2765424320932902ed8076b5d38

Re:What no Guantanamo Bay for him?

[TheNinjaroach]

Because of its distributed and decentralized nature, it would be very difficult to sneak any changes into a project or its history undetected. Every other copy of the project repo will begin screaming "foul play" when their developers try to sync.