Slashdot Mirror

← Back to Stories (view on slashdot.org)

GitHub Hacked

Posted by samzenpus on from the crack-in-the-wall dept.

MrSeb writes "Over the weekend, developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others. GitHub uses the Ruby on Rails application framework, and Rails has been weak to what's known as a mass-assignment vulnerability for years. Basically, Homakov exploited this vulnerability to add his public key to the Rails project on GitHub, which then meant that GitHub identified him as an administrator of the project. From here, he could effectively do anything, including deleting the entire project from the web; instead, he posted a fairly comical commit. GitHub summarily suspended Homakov, fixed the hole, and, after 'reviewing his activity,' he has been reinstated. Homakov could've gained administrative access to the master branch of any project on GitHub and deleted the history, committed junk, or closed or opened tracker tickets."

32 of 202 comments (clear)

  1. That's what you get by For+a+Free+Internet · · Score: 5, Funny

    That's what you get when you allow Italians like this guy on America's internet. Don't say I didn't warn you.

    The remedy is that we all need to be more proactive about patronizing Wisconsin cheese and California wine.

    --
    UNITE with the Campaign for a Free Internet because today, our future begins with tomorrow!
    1. Re:That's what you get by dunkelfalke · · Score: 5, Funny

      Dude, it is far worse than you imagine. The guy is obviously Russian. The Russians are coming!

      --
      "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
  2. What no Guantanamo Bay for him? by stillpixel · · Score: 5, Insightful

    Oh wait.. this is an open source community that understood what his intentions where and didn't have a knee jerk reaction. What I guess intelligence trumps mass panic and ignorance.

    1. Re:What no Guantanamo Bay for him? by vlm · · Score: 5, Insightful

      Oh wait.. this is an open source community that understood what his intentions where and didn't have a knee jerk reaction.
      What I guess intelligence trumps mass panic and ignorance.

      You have to realize this isn't some random dude, but a guy "well known" as having an octocat tattoo on his arm...

      http://homakov.blogspot.com/2011/07/octocat-tattoo.html

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    2. Re:What no Guantanamo Bay for him? by timeOday · · Score: 5, Interesting

      The real question is whether other more nefarious individuals preceded him undetected.

    3. Re:What no Guantanamo Bay for him? by TheNinjaroach · · Score: 5, Informative

      Because of its distributed and decentralized nature, it would be very difficult to sneak any changes into a project or its history undetected. Every other copy of the project repo will begin screaming "foul play" when their developers try to sync.

      --
      I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
  3. Strategic software by aglider · · Score: 5, Insightful

    I think it's time to think about repository for strategic software, like Linux, GCC and so on.
    Such a hacking can compromise a large part of the internet. Because someone can introduce backdoors, the nasty ones I mean, so deep to evade any check.

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
  4. distributed by StripedCow · · Score: 5, Insightful

    Fortunately, git is a distributed version control system, meaning that, usually, there is a copy of the sources and history information elsewhere.

    --
    If Pandora's box is destined to be opened, *I* want to be the one to open it.
  5. I felt a great disturbance in the Force by Anonymous Coward · · Score: 5, Funny

    ...as if millions of voices suddenly cried out from coffee shops in terror and were suddenly pwned. I fear something terrible, and totally predictable, has happened.

    Just wait a few years, Ruby on fails will strike back!

  6. Real Hacker by stanlyb · · Score: 5, Insightful

    This guy is very good example of what the real hacker is, and what they should be. Kudos man.

    1. Re:Real Hacker by Anonymous Coward · · Score: 5, Informative

      Yes. Just yes.

      He did a. They ignored him.

      He did b, too. He filed a ticket. The ticket got closed, just like that.

      He could've just done nothing and waited for someone to mess up Github. Instead he shouted louder.

      More props to this guy.

      And btw his Octocat tattoo is henna (meaning fake, not a real tatttoo), to all you attention-deficit idiots.

    2. Re:Real Hacker by Anrego · · Score: 5, Informative

      Except he did both a and b, and they basically told him to go pound sand.

      c. Demonstrate the vulnerability in a somewhat childish yet harmless and hilarious manner. Give everyone a good laugh, raise more awareness of the issue, and give the rails yet more security related black eyes!

      Seems reasonable enough to me!

  7. Re:GitHub hacked by larry+bagina · · Score: 5, Informative

    github paid accounts can have private repositories.

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

  8. Re:The response of 99.9% of humanity: by Lunaritian · · Score: 5, Insightful

    This is Slashdot, the 99.9% doesn't come here

  9. Re:Nice hacker by vlm · · Score: 5, Informative

    I find it funny that since this guy hacked github

    See that's the problem. He didn't hack github. There is a wide open door in scaffolded rails apps. I am somewhat involved in rails development and even I know this, but "most people don't care". The problem in as few words as possible is a lack of input sanitation and/or more or less is the equivalent of allowing SQL injection. Makes for easy scaffolding and rollout. All you need to do is tell rails which attributes people should and should not be able to F with, which is trivially easy and impossible to default without turning rails into a fully cognitive AI system smarter than the programmers who refuse to declare which attributes are sensitive and which are not....

    The phrases you don't know to google for are "mass assignment protection" and attr_accessible and attr_protected

    http://enlightsolutions.com/articles/whats-new-in-edge-scoped-mass-assignment-in-rails-3-1

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  10. Re:The response of 99.9% of humanity: by project5117 · · Score: 5, Funny

    This is Slashdot, the 99.9% doesn't come here

    Slashdot, home of the 0.1%.

  11. The devs were notified and ignored it by dnwq · · Score: 5, Interesting
    The best thing is this comment by a developer closing Homakov's original bug report, two days before Homakov hacked in:

    fxn commented 3 days ago

    There was a proposal about changing that flag in #4062 and the consensus is the pros of the default configuration outweigh the pros of the alternative.

    Thanks!

    Apparently GitHub's own admin isn't "pro" enough...

    1. Re:The devs were notified and ignored it by dnwq · · Score: 4, Interesting

      Not precisely right: the devs were saying "good users know how to secure their installs" and then Homakov demonstrated just how untrue this was by breaking into what is probably the world's most important and professionally-run Ruby on Rails server, i.e., GitHub. That Rails itself is hosted on GitHub just makes it funnier.

  12. Re:Linux security or trust by Anonymous Coward · · Score: 4, Informative

    That is rather easy to answer. Git is a distributed version control system such that you can't make changes without it being noticed by the real authors. See ... http://git-scm.com/about ... for a better explanation. To get something malicious into the code you will need to get into the primary lieutenants source trees.

  13. Re:Linux security or trust by Kjella · · Score: 4, Informative

    The master branch isn't on github, if there was any tampering a trivial check against Linus' master branch would see if there'd been any extra git commits. Nobody has to go through more than that. By the way, it's also impossible to insert an "old" commit in git because you'd have to reapply every subsequent patch and all the ids would change. But I guess that you're scaremongering and the mods are either clueless or feeding the troll.

    --
    Live today, because you never know what tomorrow brings
  14. Re:Linux security or trust by pankkake · · Score: 4, Funny

    Thankfully, no serious projects are hosted on GitHub.

    --
    Kill all hipsters.
  15. Re:Linux security or trust by TheRaven64 · · Score: 5, Informative

    That's idiocy on the part of the submitter. Linux is mirrored on github, and it was the authoritative repository for a while after kernel.org was hacked, but now it is not the authoritative repository and patches from there will not be pulled into the official tree unchecked.

    --
    I am TheRaven on Soylent News
  16. No, that's what you get for using a dying language by Barbara,+not+Barbie · · Score: 5, Funny
    ... among other things.

    Ruby on Rails - the perfect blend of poor performance (Ruby) and gaping holes (Rails).

    --
    Let's call it what it is, Anti-Social Media.
  17. WTF were they smoking? by miketheanimal · · Score: 5, Insightful

    OK, the blog is slashdot'd at the moment, but lets see if I have this right. Basically, you take an active record and just copy values from the POST data into it and then save it ... and this is the default behaviour? Do I have that right because, is so .... .... dear god, what were the ruby-on-rails people smoking when they thought that was a clever idea, its puts ROR on a level with PHP and its magic global variables. Note only that, but what were the github people smoking, the same? Using an insane facility is doubly insane. Methinks a lot of people need to go and read some web design stuff and realise that active records (or models - django users take not) are not synonymous with the "Model" (business logic) in MVC.

  18. Re:Nice hacker by NonUniqueNickname · · Score: 5, Insightful

    This is NOTHING like lack of sanitizing or SQL injection.

    Suppose your object has fields "name" and "is_special", and the web form only exposed "name" because "is_special" isn't supposed to be changed by regular users. The hacker who knows "is_special" exists, adds an "is_special" field to the web form on his browser and submits it. The developer probably uses "update_attributes" to process the form, and with default Rails settings it will commit the new "is_special" value to the database (properly sanitized, of course).

    To prevent this, the developer may switch the settings to white-list, and provide a list of safe attributes for mass-assignment (update_attributes being one of the mass-assignment methods). Some people believe white-list mode should be the default settings. The hacker, probably being one of these people, found a great way to make his point that even seasoned Rails developers could use a push towards using white-lists.

  19. Re:Linux security or trust by autocracy · · Score: 4, Informative

    This was brought up when kernel.org was compromised last year. The decentralized nature of git makes that really hard to sneak by, especially if you use the kind of process controls that the Linux kernel uses. Legitimate commits go through maintainers, and maintainers will definitely flip if they see code pulls into their repository that they didn't commit. Some deeper discussion about how you can't just sneak things into the past history is here: http://security.stackexchange.com/a/6771/836

    --
    SIG: HUP
  20. He got the results he wanted by Tchaik · · Score: 5, Informative

    At least the message was understood loud and clear... It took a couple of hours and a commit to Rails was made to change the default: https://github.com/rails/rails/commit/641a4f62405cc2765424320932902ed8076b5d38

  21. Re:GitHub hacked by rioki · · Score: 4, Informative

    Actually not, if it is a legit commit as Linus... That is the extent he can fake any account...

  22. Re:Nice hacker by TheNinjaroach · · Score: 4, Insightful

    This is NOTHING like lack of sanitizing or SQL injection.

    Yes, the act of processing user-supplied data in an unintended manner is exactly what "lack of sanitizing" means.

    --
    I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
  23. Re:irresponsible by Zironic · · Score: 4, Informative

    He did disclose the publically.
    The developers thought it was working as intended.
    He hacked the site to show that they're morons.
    They patched the issue.

  24. Re:PHP by DarwinSurvivor · · Score: 4, Funny

    I'm fairly certain the amount of PHP in your standard Ruby on Rails installation is relatively minor.

  25. Re:No, that's what you get for using a dying langu by steveb3210 · · Score: 4, Insightful

    This isn't actually a hole in rails..  If you use mass assignment, you need to protect attributes you don't want assigned with attr_protected on your model.

    If you don't want people to do this:

    @user.update_attributes({:favorite_color => 'blue', :password => 'hacked'})

    You need to do this:

    class User < ActiveRecord::Base
      attr_protected :password
    end