GitHub Hacked

MrSeb writes "Over the weekend, developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others. GitHub uses the Ruby on Rails application framework, and Rails has been weak to what's known as a mass-assignment vulnerability for years. Basically, Homakov exploited this vulnerability to add his public key to the Rails project on GitHub, which then meant that GitHub identified him as an administrator of the project. From here, he could effectively do anything, including deleting the entire project from the web; instead, he posted a fairly comical commit. GitHub summarily suspended Homakov, fixed the hole, and, after 'reviewing his activity,' he has been reinstated. Homakov could've gained administrative access to the master branch of any project on GitHub and deleted the history, committed junk, or closed or opened tracker tickets."

Re:What no Guantanamo Bay for him?

[timeOday]

The real question is whether other more nefarious individuals preceded him undetected.

The devs were notified and ignored it

[dnwq]

The best thing is this comment by a developer closing Homakov's original bug report, two days before Homakov hacked in:

fxn commented 3 days ago

There was a proposal about changing that flag in #4062 and the consensus is the pros of the default configuration outweigh the pros of the alternative.

Thanks!

Apparently GitHub's own admin isn't "pro" enough...

Re:The devs were notified and ignored it

[dnwq]

Not precisely right: the devs were saying "good users know how to secure their installs" and then Homakov demonstrated just how untrue this was by breaking into what is probably the world's most important and professionally-run Ruby on Rails server, i.e., GitHub. That Rails itself is hosted on GitHub just makes it funnier.