Slashdot Mirror

← Back to Stories (view on slashdot.org)

GitHub Hacked

Posted by samzenpus on from the crack-in-the-wall dept.

MrSeb writes "Over the weekend, developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others. GitHub uses the Ruby on Rails application framework, and Rails has been weak to what's known as a mass-assignment vulnerability for years. Basically, Homakov exploited this vulnerability to add his public key to the Rails project on GitHub, which then meant that GitHub identified him as an administrator of the project. From here, he could effectively do anything, including deleting the entire project from the web; instead, he posted a fairly comical commit. GitHub summarily suspended Homakov, fixed the hole, and, after 'reviewing his activity,' he has been reinstated. Homakov could've gained administrative access to the master branch of any project on GitHub and deleted the history, committed junk, or closed or opened tracker tickets."

5 of 202 comments (clear)

  1. Re:What no Guantanamo Bay for him? by timeOday · · Score: 5, Interesting

    The real question is whether other more nefarious individuals preceded him undetected.

  2. The devs were notified and ignored it by dnwq · · Score: 5, Interesting
    The best thing is this comment by a developer closing Homakov's original bug report, two days before Homakov hacked in:

    fxn commented 3 days ago

    There was a proposal about changing that flag in #4062 and the consensus is the pros of the default configuration outweigh the pros of the alternative.

    Thanks!

    Apparently GitHub's own admin isn't "pro" enough...

    1. Re:The devs were notified and ignored it by dnwq · · Score: 4, Interesting

      Not precisely right: the devs were saying "good users know how to secure their installs" and then Homakov demonstrated just how untrue this was by breaking into what is probably the world's most important and professionally-run Ruby on Rails server, i.e., GitHub. That Rails itself is hosted on GitHub just makes it funnier.

  3. Re:Strategic software by FunkyELF · · Score: 3, Interesting

    I think the use of Git makes it pretty safe to begin with.
    If someone gained access to do commits to what people consider as the "master" repo, any tampering would have to be done at the head because of all the hashes.
    Hopefully the maintainer would realize this the next time they go to push to it Git would tell them that the remote is ahead of them by X commits.
    In the case of Linux, I think Linus is the only one who pushes to the master branch, so he would notice.

  4. Re:GitHub hacked by vlm · · Score: 3, Interesting

    If you can't imagine a way that unfettered access to *alter* an exceptionally popular piece of software, virtually undetected

    I can't imagine a way to do that with git. Sorry, its just pretty hard to do, especially "virtually undetected". git just doesn't work that way. Probably a hell of a lot easier and more likely to succeed and frankly cheaper to get commit rights "the right way" and then sneak in 100 perfectly legit real world commits and just one with an intentional bug or issue or whatever. Now, if by "... alter ... popular ... software.." you mean something like modify the github site and user provided data itself to point to some images on some .ru domain that include yet another drive by MSIE exploit, sure that could probably have been done. But the git hosted projects are basically safe, assuming anyone is actually using them.

    Which brings up an interesting attack vector, if you find generic abandoned mp3 player number 2352 on sf or github and "take it over" by whatever means, then you could put weird stuff into it without anyone noticing since no one git pulls it. This could be a problem.

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger