Slashdot Mirror

← Back to Stories (view on slashdot.org)

GitHub Hacked

Posted by samzenpus on from the crack-in-the-wall dept.

MrSeb writes "Over the weekend, developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others. GitHub uses the Ruby on Rails application framework, and Rails has been weak to what's known as a mass-assignment vulnerability for years. Basically, Homakov exploited this vulnerability to add his public key to the Rails project on GitHub, which then meant that GitHub identified him as an administrator of the project. From here, he could effectively do anything, including deleting the entire project from the web; instead, he posted a fairly comical commit. GitHub summarily suspended Homakov, fixed the hole, and, after 'reviewing his activity,' he has been reinstated. Homakov could've gained administrative access to the master branch of any project on GitHub and deleted the history, committed junk, or closed or opened tracker tickets."

55 of 202 comments (clear)

  1. That's what you get by For+a+Free+Internet · · Score: 5, Funny

    That's what you get when you allow Italians like this guy on America's internet. Don't say I didn't warn you.

    The remedy is that we all need to be more proactive about patronizing Wisconsin cheese and California wine.

    --
    UNITE with the Campaign for a Free Internet because today, our future begins with tomorrow!
    1. Re:That's what you get by dunkelfalke · · Score: 5, Funny

      Dude, it is far worse than you imagine. The guy is obviously Russian. The Russians are coming!

      --
      "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
  2. What no Guantanamo Bay for him? by stillpixel · · Score: 5, Insightful

    Oh wait.. this is an open source community that understood what his intentions where and didn't have a knee jerk reaction. What I guess intelligence trumps mass panic and ignorance.

    1. Re:What no Guantanamo Bay for him? by vlm · · Score: 5, Insightful

      Oh wait.. this is an open source community that understood what his intentions where and didn't have a knee jerk reaction.
      What I guess intelligence trumps mass panic and ignorance.

      You have to realize this isn't some random dude, but a guy "well known" as having an octocat tattoo on his arm...

      http://homakov.blogspot.com/2011/07/octocat-tattoo.html

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    2. Re:What no Guantanamo Bay for him? by timeOday · · Score: 5, Interesting

      The real question is whether other more nefarious individuals preceded him undetected.

    3. Re:What no Guantanamo Bay for him? by TheNinjaroach · · Score: 5, Informative

      Because of its distributed and decentralized nature, it would be very difficult to sneak any changes into a project or its history undetected. Every other copy of the project repo will begin screaming "foul play" when their developers try to sync.

      --
      I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
    4. Re:What no Guantanamo Bay for him? by abigor · · Score: 2

      Oh wait.. this is an open source community that understood what his intentions where and didn't have a knee jerk reaction.
      What I guess intelligence trumps mass panic and ignorance.

      That's exactly wrong. GH freaked out and banned his account after the Rails team repeatedly closed his bug reports. This story has been on Hacker News for a while now, so you can head there for the full story. His account was eventually reinstated after it was made clear to GH that they behaved poorly.

    5. Re:What no Guantanamo Bay for him? by cnvandev · · Score: 2

      Not exactly - he was suspended while they investigated the incident, not when he reported the bug. As they explained on their blog yesterday, their standard procedure is to suspend accounts that get into this kind of thing until they investigate the incident to see if there was anything malicious happening. They determined there wasn't so they reactivated his account. I'd say GitHub handled the situation excellently.

  3. Strategic software by aglider · · Score: 5, Insightful

    I think it's time to think about repository for strategic software, like Linux, GCC and so on.
    Such a hacking can compromise a large part of the internet. Because someone can introduce backdoors, the nasty ones I mean, so deep to evade any check.

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
    1. Re:Strategic software by cr_nucleus · · Score: 3, Insightful

      Such a hacking can compromise a large part of the internet. Because someone can introduce backdoors, the nasty ones I mean, so deep to evade any check.

      Well, as far as git goes, you can't make changes undetected because all commits are signed and all clones of a repository have the whole history log.

    2. Re:Strategic software by FunkyELF · · Score: 3, Interesting

      I think the use of Git makes it pretty safe to begin with.
      If someone gained access to do commits to what people consider as the "master" repo, any tampering would have to be done at the head because of all the hashes.
      Hopefully the maintainer would realize this the next time they go to push to it Git would tell them that the remote is ahead of them by X commits.
      In the case of Linux, I think Linus is the only one who pushes to the master branch, so he would notice.

    3. Re:Strategic software by mortonda · · Score: 2

      Yes, the id of every commit is a cryptographic hash of the contents of that commit, which inherently includes the state before it; if you tried to insert a commit in the middle of the commit tree, all the id's would change, or not compute... Hard to say what would happen, because it just won't work. The tools would all scream at you. It would be very obvious, if it could even be done.

      They may not all be "signatures" in the sense of identifying who committed it, but it *does* validate the consistency of the source tree and the commit.

  4. distributed by StripedCow · · Score: 5, Insightful

    Fortunately, git is a distributed version control system, meaning that, usually, there is a copy of the sources and history information elsewhere.

    --
    If Pandora's box is destined to be opened, *I* want to be the one to open it.
    1. Re:distributed by MadKeithV · · Score: 2

      you don't have any idea how GIT works, do you ? or maybe you are FUDding ?

      two words: distributed and Cryptographic authentication of history

      No, I have no idea the cryptographic details of GIT works - I was responding to the information in the post above mine with a hypothetical evil genius scenario in my limited understanding of DVCS (i.e. copies of stuff in multiple places). I am happy to read that it seems the developers of GIT are smarter than those that developed Sourcesafe. Which isn't a herculean feat.

    2. Re:distributed by makomk · · Score: 2

      It's also used for distributed development, which means that usually all the copies of the source and history information have pulled from the upstream GitHub repository and will contain any malicious code that was committed to it.

  5. I felt a great disturbance in the Force by Anonymous Coward · · Score: 5, Funny

    ...as if millions of voices suddenly cried out from coffee shops in terror and were suddenly pwned. I fear something terrible, and totally predictable, has happened.

    Just wait a few years, Ruby on fails will strike back!

  6. The response of 99.9% of humanity: by tpstigers · · Score: 2, Insightful

    What's GitHub?

    1. Re:The response of 99.9% of humanity: by Lunaritian · · Score: 5, Insightful

      This is Slashdot, the 99.9% doesn't come here

    2. Re:The response of 99.9% of humanity: by project5117 · · Score: 5, Funny

      This is Slashdot, the 99.9% doesn't come here

      Slashdot, home of the 0.1%.

  7. Real Hacker by stanlyb · · Score: 5, Insightful

    This guy is very good example of what the real hacker is, and what they should be. Kudos man.

    1. Re:Real Hacker by Anonymous Coward · · Score: 5, Informative

      Yes. Just yes.

      He did a. They ignored him.

      He did b, too. He filed a ticket. The ticket got closed, just like that.

      He could've just done nothing and waited for someone to mess up Github. Instead he shouted louder.

      More props to this guy.

      And btw his Octocat tattoo is henna (meaning fake, not a real tatttoo), to all you attention-deficit idiots.

    2. Re:Real Hacker by Anrego · · Score: 5, Informative

      Except he did both a and b, and they basically told him to go pound sand.

      c. Demonstrate the vulnerability in a somewhat childish yet harmless and hilarious manner. Give everyone a good laugh, raise more awareness of the issue, and give the rails yet more security related black eyes!

      Seems reasonable enough to me!

  8. Re:GitHub hacked by larry+bagina · · Score: 5, Informative

    github paid accounts can have private repositories.

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

  9. Re:Nice hacker by vlm · · Score: 5, Informative

    I find it funny that since this guy hacked github

    See that's the problem. He didn't hack github. There is a wide open door in scaffolded rails apps. I am somewhat involved in rails development and even I know this, but "most people don't care". The problem in as few words as possible is a lack of input sanitation and/or more or less is the equivalent of allowing SQL injection. Makes for easy scaffolding and rollout. All you need to do is tell rails which attributes people should and should not be able to F with, which is trivially easy and impossible to default without turning rails into a fully cognitive AI system smarter than the programmers who refuse to declare which attributes are sensitive and which are not....

    The phrases you don't know to google for are "mass assignment protection" and attr_accessible and attr_protected

    http://enlightsolutions.com/articles/whats-new-in-edge-scoped-mass-assignment-in-rails-3-1

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  10. Re:Hacked vs Cracked by nigelegin · · Score: 2

    In this situation, the term hacking is the correct usage of the term. As per your posted link,

    "Hackers will sometimes do questionable legal things, such as breaking into systems, but they generally will not cause harm once they break in."

    Homakov only made superficial changes to allow him to commit a snide remark to illustrate and publicize the inherent weakness in a cloud storage system used by many independent developers and commercial entities.

    In almost any other situation I would side with you on the horrible misuse/overuse of the term "hacking".

  11. Re:GitHub hacked by jeffmeden · · Score: 2

    So, somebody hacked into a computer system to gain access to open source software. Brilliant.

    If you can't imagine a way that unfettered access to *alter* an exceptionally popular piece of software, virtually undetected, would be useful to someone with unscrupulous intent, then good for you for being so pure of heart. However, in the rest of the world, access like that can be absolutely devastating.

  12. The devs were notified and ignored it by dnwq · · Score: 5, Interesting
    The best thing is this comment by a developer closing Homakov's original bug report, two days before Homakov hacked in:

    fxn commented 3 days ago

    There was a proposal about changing that flag in #4062 and the consensus is the pros of the default configuration outweigh the pros of the alternative.

    Thanks!

    Apparently GitHub's own admin isn't "pro" enough...

    1. Re:The devs were notified and ignored it by MadKeithV · · Score: 2

      Apparently GitHub's own admin isn't "pro" enough...

      I tried reading that thread but the language is convoluted and I know next-to-nothing about rails - am I reading it right - the devs were essentially saying "pro users know how to secure their installs!" and then got pwned themselves with the exact hack that Homakov had reported?

    2. Re:The devs were notified and ignored it by dnwq · · Score: 4, Interesting

      Not precisely right: the devs were saying "good users know how to secure their installs" and then Homakov demonstrated just how untrue this was by breaking into what is probably the world's most important and professionally-run Ruby on Rails server, i.e., GitHub. That Rails itself is hosted on GitHub just makes it funnier.

    3. Re:The devs were notified and ignored it by Medievalist · · Score: 2

      am I reading it right - the devs were essentially saying "pro users know how to secure their installs!" and then got pwned themselves with the exact hack that Homakov had reported?

      You're reading it right. And he actually had to blatantly pwn them repeatedly before they would deign to take notice, and even then they didn't do anything abou it until they got ridiculed across the entire Internet.

      Makes the (broken) PHP development community look relatively sane.

  13. Re:Linux security or trust by Anonymous Coward · · Score: 4, Informative

    That is rather easy to answer. Git is a distributed version control system such that you can't make changes without it being noticed by the real authors. See ... http://git-scm.com/about ... for a better explanation. To get something malicious into the code you will need to get into the primary lieutenants source trees.

  14. Re:Linux security or trust by Kjella · · Score: 4, Informative

    The master branch isn't on github, if there was any tampering a trivial check against Linus' master branch would see if there'd been any extra git commits. Nobody has to go through more than that. By the way, it's also impossible to insert an "old" commit in git because you'd have to reapply every subsequent patch and all the ids would change. But I guess that you're scaremongering and the mods are either clueless or feeding the troll.

    --
    Live today, because you never know what tomorrow brings
  15. Re:GitHub hacked by vlm · · Score: 3, Interesting

    If you can't imagine a way that unfettered access to *alter* an exceptionally popular piece of software, virtually undetected

    I can't imagine a way to do that with git. Sorry, its just pretty hard to do, especially "virtually undetected". git just doesn't work that way. Probably a hell of a lot easier and more likely to succeed and frankly cheaper to get commit rights "the right way" and then sneak in 100 perfectly legit real world commits and just one with an intentional bug or issue or whatever. Now, if by "... alter ... popular ... software.." you mean something like modify the github site and user provided data itself to point to some images on some .ru domain that include yet another drive by MSIE exploit, sure that could probably have been done. But the git hosted projects are basically safe, assuming anyone is actually using them.

    Which brings up an interesting attack vector, if you find generic abandoned mp3 player number 2352 on sf or github and "take it over" by whatever means, then you could put weird stuff into it without anyone noticing since no one git pulls it. This could be a problem.

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  16. Re:Linux security or trust by pankkake · · Score: 4, Funny

    Thankfully, no serious projects are hosted on GitHub.

    --
    Kill all hipsters.
  17. Re:Linux security or trust by TheRaven64 · · Score: 5, Informative

    That's idiocy on the part of the submitter. Linux is mirrored on github, and it was the authoritative repository for a while after kernel.org was hacked, but now it is not the authoritative repository and patches from there will not be pulled into the official tree unchecked.

    --
    I am TheRaven on Soylent News
  18. No, that's what you get for using a dying language by Barbara,+not+Barbie · · Score: 5, Funny
    ... among other things.

    Ruby on Rails - the perfect blend of poor performance (Ruby) and gaping holes (Rails).

    --
    Let's call it what it is, Anti-Social Media.
  19. WTF were they smoking? by miketheanimal · · Score: 5, Insightful

    OK, the blog is slashdot'd at the moment, but lets see if I have this right. Basically, you take an active record and just copy values from the POST data into it and then save it ... and this is the default behaviour? Do I have that right because, is so .... .... dear god, what were the ruby-on-rails people smoking when they thought that was a clever idea, its puts ROR on a level with PHP and its magic global variables. Note only that, but what were the github people smoking, the same? Using an insane facility is doubly insane. Methinks a lot of people need to go and read some web design stuff and realise that active records (or models - django users take not) are not synonymous with the "Model" (business logic) in MVC.

    1. Re:WTF were they smoking? by gl4ss · · Score: 3, Informative

      Pardon some of my ignorance but isn't the point of using "smart" frameworks that you wouldn't need to worry about that stuff since the framework should _know_ what parameters it's asking the users browser to submit?

      surely there has to be a framework designed with that in mind? "serve the user this blabla page that has these blabla input boxes"-> from the response just read those.

      seems that rails(and how github was using it) was moving business logic to random users computers and effectively taking them as a trusted part of the system? maybe the devs should spend more time playing online games and seeing crack cheaters.

      --
      world was created 5 seconds before this post as it is.
    2. Re:WTF were they smoking? by psydeshow · · Score: 2

      Pardon some of my ignorance but isn't the point of using "smart" frameworks that you wouldn't need to worry about that stuff since the framework should _know_ what parameters it's asking the users browser to submit?

      surely there has to be a framework designed with that in mind? "serve the user this blabla page that has these blabla input boxes"-> from the response just read those.

      seems that rails(and how github was using it) was moving business logic to random users computers and effectively taking them as a trusted part of the system? maybe the devs should spend more time playing online games and seeing crack cheaters.

      As I understand it, Rails isn't taking just any fields that a user submits. It's actually checking the fields against the model and only assigning the ones it recognizes. So yeah, it "knows" the parameters it is seeing and they are all valid so we're good to go.

      Except that there are fields in any model that the user *shouldn't* be able to change via form. And lo, there is a mechanism in Rails to flag those fields in the model so that this sort of things doesn't happen: attr_accessible flags.

      But attr_accessible is simplistic, and doesn't take into account that some users can change fields that others can't. Developers *should* be marking up the model for the most restricted case and then using manual assignments for users with elevated privilege. But compared to banging out a model and dropping it in and having everything just work, that's a pain in the ass.

      Unless the framework can make assumptions about how access control works (att_accessible_admin, attr_accessible_editor, attr_accessible_guest etc), there is no easy way around the problem.

    3. Re:WTF were they smoking? by AlXtreme · · Score: 2

      Except that there are fields in any model that the user *shouldn't* be able to change via form. And lo, there is a mechanism in Rails to flag those fields in the model so that this sort of things doesn't happen: attr_accessible flags.

      Madness... when defining the form you explicitly define which attributes of the model may be submitted and modified and everything else is ignored. Forms should be the filter between the crap a user may submit and your precious model.

      Django does this right in my eyes: allowed attributes need to be stated in the Form if you don't want all fields displayed. If you have different types of users present those users a different form with corresponding list of attributes and additional validation. Subclassing forms makes this trivial to implement and you explicitly whitelist those fields that are allowed to be modified by a particular user.

      Not that Django is perfect, but I'm amazed that RoR requires/required blacklisting model attributes instead of handling this explicitly in the form. Kudos to the hacker for outing this design-flaw.

      --
      This sig is intentionally left blank
  20. Re:GitHub hacked by Electricity+Likes+Me · · Score: 2

    Indeed, I know a few people who are working on some commercial software with one. This is kind of a big deal (although the risk that someone made subtle alterations to say, the Linux kernel, is also a very big deal).

  21. Re:Nice hacker by NonUniqueNickname · · Score: 5, Insightful

    This is NOTHING like lack of sanitizing or SQL injection.

    Suppose your object has fields "name" and "is_special", and the web form only exposed "name" because "is_special" isn't supposed to be changed by regular users. The hacker who knows "is_special" exists, adds an "is_special" field to the web form on his browser and submits it. The developer probably uses "update_attributes" to process the form, and with default Rails settings it will commit the new "is_special" value to the database (properly sanitized, of course).

    To prevent this, the developer may switch the settings to white-list, and provide a list of safe attributes for mass-assignment (update_attributes being one of the mass-assignment methods). Some people believe white-list mode should be the default settings. The hacker, probably being one of these people, found a great way to make his point that even seasoned Rails developers could use a push towards using white-lists.

  22. Re:Linux security or trust by autocracy · · Score: 4, Informative

    This was brought up when kernel.org was compromised last year. The decentralized nature of git makes that really hard to sneak by, especially if you use the kind of process controls that the Linux kernel uses. Legitimate commits go through maintainers, and maintainers will definitely flip if they see code pulls into their repository that they didn't commit. Some deeper discussion about how you can't just sneak things into the past history is here: http://security.stackexchange.com/a/6771/836

    --
    SIG: HUP
  23. Re:Linux? Since when? by miknix · · Score: 2

    "Over the weekend, developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others.

    Linux??? Can we mod summary as troll? Linux has its origin repository in kernel.org and is distributed over cloned repositories all over the world including my laptop. One can't simply inject a commit into one of those repositories (such as github) and expect it to automatically propagate into kernel.org.

    Furthermore, even if you manage to inject a commit into some random project at Github, high are the chances that it would be detected by another developer. Who commits to a repository without reading the commit history?
    Now, this Rails vulnerability is rather serious and deserves attention but this article is just plain FUD against github. Congratulations!

  24. He got the results he wanted by Tchaik · · Score: 5, Informative

    At least the message was understood loud and clear... It took a couple of hours and a commit to Rails was made to change the default: https://github.com/rails/rails/commit/641a4f62405cc2765424320932902ed8076b5d38

  25. Re:GitHub hacked by rioki · · Score: 4, Informative

    Actually not, if it is a legit commit as Linus... That is the extent he can fake any account...

  26. Re:Nice hacker by TheNinjaroach · · Score: 4, Insightful

    This is NOTHING like lack of sanitizing or SQL injection.

    Yes, the act of processing user-supplied data in an unintended manner is exactly what "lack of sanitizing" means.

    --
    I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
  27. Re:it could have been worse by tuffy · · Score: 2

    Which would be noticed the next time anyone does a push to the repository. There'd be an unexpected non-fast-forward push, and git would force developers to deal with it by default.

    --

    Ita erat quando hic adveni.

  28. Re:irresponsible by Zironic · · Score: 4, Informative

    He did disclose the publically.
    The developers thought it was working as intended.
    He hacked the site to show that they're morons.
    They patched the issue.

  29. Re:Nice hacker by vlm · · Score: 3, Informative

    Also, the process of carefully crafting weird http traffic to insert unexpected things is exactly the process for SQL injection, except obviously strange non-developer intended attributes are being inserted instead of "sql EOL character followed by big sql fun" from a classic sql injection attack. Its a very close analogy... The meta-rule that both specific rules lives under is if you're depending on the general internet public to send you something, you can expect someone out there to send you some absolutely crazy stuff and you better be prepared for absolutely anything. If you're not planning on getting UTF-16 encoded XML with embedded COBOL source code for an Intercal interpreter, there's someone in China coding it up right now, so you better get ready for it...

    His alternative way to describe how it works and at least one way to avoid it was pretty good, regardless of his analogy analysis skills... I though "as few words as possible" and "more or less the equivalent" was about as wishy washy as I could be when tossing an analogy out there. True, I may have a low /. UID, but I wasn't exactly Moses reading the commandments off the tablets there... And if I was I'd have better commandments than this one...

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  30. Re:PHP by DarwinSurvivor · · Score: 4, Funny

    I'm fairly certain the amount of PHP in your standard Ruby on Rails installation is relatively minor.

  31. Re:No, that's what you get for using a dying langu by steveb3210 · · Score: 4, Insightful

    This isn't actually a hole in rails..  If you use mass assignment, you need to protect attributes you don't want assigned with attr_protected on your model.

    If you don't want people to do this:

    @user.update_attributes({:favorite_color => 'blue', :password => 'hacked'})

    You need to do this:

    class User < ActiveRecord::Base
      attr_protected :password
    end

  32. Re:Nice hacker by Saxophonist · · Score: 2

    I've barely worked with Rails, but from what you're describing, isn't this bug somewhat like the security problems with register_globals in PHP, which started defaulting to "off" almost a decade ago?

    Everything old is new again...

  33. Re:No, that's what you get for using a dying langu by kwerle · · Score: 3, Insightful

    While it's true that it was sloppy coding, it is also true that the default is not really safe - and it probably should be.

  34. Re:In defense of Rails... by makomk · · Score: 2

    As far as I can tell, the entire point of update_attributes is that it's easy to pass unsanitized data directly from a user request to it and this makes rapid development of Rails applications simpler. Supposedly pretty much no major Rails applications get this right, so it's not surprising the one hosting the Rails Git repository doesn't either.