GitHub Hacked

MrSeb writes "Over the weekend, developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others. GitHub uses the Ruby on Rails application framework, and Rails has been weak to what's known as a mass-assignment vulnerability for years. Basically, Homakov exploited this vulnerability to add his public key to the Rails project on GitHub, which then meant that GitHub identified him as an administrator of the project. From here, he could effectively do anything, including deleting the entire project from the web; instead, he posted a fairly comical commit. GitHub summarily suspended Homakov, fixed the hole, and, after 'reviewing his activity,' he has been reinstated. Homakov could've gained administrative access to the master branch of any project on GitHub and deleted the history, committed junk, or closed or opened tracker tickets."

What no Guantanamo Bay for him?

[stillpixel]

Oh wait.. this is an open source community that understood what his intentions where and didn't have a knee jerk reaction. What I guess intelligence trumps mass panic and ignorance.

Re:What no Guantanamo Bay for him?

[vlm]

Oh wait.. this is an open source community that understood what his intentions where and didn't have a knee jerk reaction.
What I guess intelligence trumps mass panic and ignorance.

You have to realize this isn't some random dude, but a guy "well known" as having an octocat tattoo on his arm...

http://homakov.blogspot.com/2011/07/octocat-tattoo.html

Linux security or trust

This lowers the trust of the Linux source a notch. Who can really go over every line of code in the source to make sure someone hasn't already snuck in something malicious years ago?

Although the advantage of open source is that more eyes can go over it.

Strategic software

[aglider]

I think it's time to think about repository for strategic software, like Linux, GCC and so on.
Such a hacking can compromise a large part of the internet. Because someone can introduce backdoors, the nasty ones I mean, so deep to evade any check.

Re:Strategic software

[cr_nucleus]

Such a hacking can compromise a large part of the internet. Because someone can introduce backdoors, the nasty ones I mean, so deep to evade any check.

Well, as far as git goes, you can't make changes undetected because all commits are signed and all clones of a repository have the whole history log.

distributed

[StripedCow]

Fortunately, git is a distributed version control system, meaning that, usually, there is a copy of the sources and history information elsewhere.

The response of 99.9% of humanity:

[tpstigers]

What's GitHub?

Re:The response of 99.9% of humanity:

[Lunaritian]

This is Slashdot, the 99.9% doesn't come here

Real Hacker

[stanlyb]

This guy is very good example of what the real hacker is, and what they should be. Kudos man.

WTF were they smoking?

[miketheanimal]

OK, the blog is slashdot'd at the moment, but lets see if I have this right. Basically, you take an active record and just copy values from the POST data into it and then save it ... and this is the default behaviour? Do I have that right because, is so .... .... dear god, what were the ruby-on-rails people smoking when they thought that was a clever idea, its puts ROR on a level with PHP and its magic global variables. Note only that, but what were the github people smoking, the same? Using an insane facility is doubly insane. Methinks a lot of people need to go and read some web design stuff and realise that active records (or models - django users take not) are not synonymous with the "Model" (business logic) in MVC.

Re:Nice hacker

[NonUniqueNickname]

This is NOTHING like lack of sanitizing or SQL injection.

Suppose your object has fields "name" and "is_special", and the web form only exposed "name" because "is_special" isn't supposed to be changed by regular users. The hacker who knows "is_special" exists, adds an "is_special" field to the web form on his browser and submits it. The developer probably uses "update_attributes" to process the form, and with default Rails settings it will commit the new "is_special" value to the database (properly sanitized, of course).

To prevent this, the developer may switch the settings to white-list, and provide a list of safe attributes for mass-assignment (update_attributes being one of the mass-assignment methods). Some people believe white-list mode should be the default settings. The hacker, probably being one of these people, found a great way to make his point that even seasoned Rails developers could use a push towards using white-lists.

Re:Nice hacker

[TheNinjaroach]

This is NOTHING like lack of sanitizing or SQL injection.

Yes, the act of processing user-supplied data in an unintended manner is exactly what "lack of sanitizing" means.

Re:No, that's what you get for using a dying langu

[steveb3210]

This isn't actually a hole in rails..  If you use mass assignment, you need to protect attributes you don't want assigned with attr_protected on your model.

If you don't want people to do this:

@user.update_attributes({:favorite_color => 'blue', :password => 'hacked'})

You need to do this:

class User < ActiveRecord::Base
  attr_protected :password
end

Re:No, that's what you get for using a dying langu

[kwerle]

While it's true that it was sloppy coding, it is also true that the default is not really safe - and it probably should be.