Slashdot Mirror

← Back to Stories (view on slashdot.org)

GitHub Hacked

Posted by samzenpus on from the crack-in-the-wall dept.

MrSeb writes "Over the weekend, developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others. GitHub uses the Ruby on Rails application framework, and Rails has been weak to what's known as a mass-assignment vulnerability for years. Basically, Homakov exploited this vulnerability to add his public key to the Rails project on GitHub, which then meant that GitHub identified him as an administrator of the project. From here, he could effectively do anything, including deleting the entire project from the web; instead, he posted a fairly comical commit. GitHub summarily suspended Homakov, fixed the hole, and, after 'reviewing his activity,' he has been reinstated. Homakov could've gained administrative access to the master branch of any project on GitHub and deleted the history, committed junk, or closed or opened tracker tickets."

22 of 202 comments (clear)

  1. That's what you get by For+a+Free+Internet · · Score: 5, Funny

    That's what you get when you allow Italians like this guy on America's internet. Don't say I didn't warn you.

    The remedy is that we all need to be more proactive about patronizing Wisconsin cheese and California wine.

    --
    UNITE with the Campaign for a Free Internet because today, our future begins with tomorrow!
    1. Re:That's what you get by dunkelfalke · · Score: 5, Funny

      Dude, it is far worse than you imagine. The guy is obviously Russian. The Russians are coming!

      --
      "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
  2. What no Guantanamo Bay for him? by stillpixel · · Score: 5, Insightful

    Oh wait.. this is an open source community that understood what his intentions where and didn't have a knee jerk reaction. What I guess intelligence trumps mass panic and ignorance.

    1. Re:What no Guantanamo Bay for him? by vlm · · Score: 5, Insightful

      Oh wait.. this is an open source community that understood what his intentions where and didn't have a knee jerk reaction.
      What I guess intelligence trumps mass panic and ignorance.

      You have to realize this isn't some random dude, but a guy "well known" as having an octocat tattoo on his arm...

      http://homakov.blogspot.com/2011/07/octocat-tattoo.html

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    2. Re:What no Guantanamo Bay for him? by timeOday · · Score: 5, Interesting

      The real question is whether other more nefarious individuals preceded him undetected.

    3. Re:What no Guantanamo Bay for him? by TheNinjaroach · · Score: 5, Informative

      Because of its distributed and decentralized nature, it would be very difficult to sneak any changes into a project or its history undetected. Every other copy of the project repo will begin screaming "foul play" when their developers try to sync.

      --
      I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
  3. Strategic software by aglider · · Score: 5, Insightful

    I think it's time to think about repository for strategic software, like Linux, GCC and so on.
    Such a hacking can compromise a large part of the internet. Because someone can introduce backdoors, the nasty ones I mean, so deep to evade any check.

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
  4. distributed by StripedCow · · Score: 5, Insightful

    Fortunately, git is a distributed version control system, meaning that, usually, there is a copy of the sources and history information elsewhere.

    --
    If Pandora's box is destined to be opened, *I* want to be the one to open it.
  5. I felt a great disturbance in the Force by Anonymous Coward · · Score: 5, Funny

    ...as if millions of voices suddenly cried out from coffee shops in terror and were suddenly pwned. I fear something terrible, and totally predictable, has happened.

    Just wait a few years, Ruby on fails will strike back!

  6. Real Hacker by stanlyb · · Score: 5, Insightful

    This guy is very good example of what the real hacker is, and what they should be. Kudos man.

    1. Re:Real Hacker by Anonymous Coward · · Score: 5, Informative

      Yes. Just yes.

      He did a. They ignored him.

      He did b, too. He filed a ticket. The ticket got closed, just like that.

      He could've just done nothing and waited for someone to mess up Github. Instead he shouted louder.

      More props to this guy.

      And btw his Octocat tattoo is henna (meaning fake, not a real tatttoo), to all you attention-deficit idiots.

    2. Re:Real Hacker by Anrego · · Score: 5, Informative

      Except he did both a and b, and they basically told him to go pound sand.

      c. Demonstrate the vulnerability in a somewhat childish yet harmless and hilarious manner. Give everyone a good laugh, raise more awareness of the issue, and give the rails yet more security related black eyes!

      Seems reasonable enough to me!

  7. Re:GitHub hacked by larry+bagina · · Score: 5, Informative

    github paid accounts can have private repositories.

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

  8. Re:The response of 99.9% of humanity: by Lunaritian · · Score: 5, Insightful

    This is Slashdot, the 99.9% doesn't come here

  9. Re:Nice hacker by vlm · · Score: 5, Informative

    I find it funny that since this guy hacked github

    See that's the problem. He didn't hack github. There is a wide open door in scaffolded rails apps. I am somewhat involved in rails development and even I know this, but "most people don't care". The problem in as few words as possible is a lack of input sanitation and/or more or less is the equivalent of allowing SQL injection. Makes for easy scaffolding and rollout. All you need to do is tell rails which attributes people should and should not be able to F with, which is trivially easy and impossible to default without turning rails into a fully cognitive AI system smarter than the programmers who refuse to declare which attributes are sensitive and which are not....

    The phrases you don't know to google for are "mass assignment protection" and attr_accessible and attr_protected

    http://enlightsolutions.com/articles/whats-new-in-edge-scoped-mass-assignment-in-rails-3-1

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  10. Re:The response of 99.9% of humanity: by project5117 · · Score: 5, Funny

    This is Slashdot, the 99.9% doesn't come here

    Slashdot, home of the 0.1%.

  11. The devs were notified and ignored it by dnwq · · Score: 5, Interesting
    The best thing is this comment by a developer closing Homakov's original bug report, two days before Homakov hacked in:

    fxn commented 3 days ago

    There was a proposal about changing that flag in #4062 and the consensus is the pros of the default configuration outweigh the pros of the alternative.

    Thanks!

    Apparently GitHub's own admin isn't "pro" enough...

  12. Re:Linux security or trust by TheRaven64 · · Score: 5, Informative

    That's idiocy on the part of the submitter. Linux is mirrored on github, and it was the authoritative repository for a while after kernel.org was hacked, but now it is not the authoritative repository and patches from there will not be pulled into the official tree unchecked.

    --
    I am TheRaven on Soylent News
  13. No, that's what you get for using a dying language by Barbara,+not+Barbie · · Score: 5, Funny
    ... among other things.

    Ruby on Rails - the perfect blend of poor performance (Ruby) and gaping holes (Rails).

    --
    Let's call it what it is, Anti-Social Media.
  14. WTF were they smoking? by miketheanimal · · Score: 5, Insightful

    OK, the blog is slashdot'd at the moment, but lets see if I have this right. Basically, you take an active record and just copy values from the POST data into it and then save it ... and this is the default behaviour? Do I have that right because, is so .... .... dear god, what were the ruby-on-rails people smoking when they thought that was a clever idea, its puts ROR on a level with PHP and its magic global variables. Note only that, but what were the github people smoking, the same? Using an insane facility is doubly insane. Methinks a lot of people need to go and read some web design stuff and realise that active records (or models - django users take not) are not synonymous with the "Model" (business logic) in MVC.

  15. Re:Nice hacker by NonUniqueNickname · · Score: 5, Insightful

    This is NOTHING like lack of sanitizing or SQL injection.

    Suppose your object has fields "name" and "is_special", and the web form only exposed "name" because "is_special" isn't supposed to be changed by regular users. The hacker who knows "is_special" exists, adds an "is_special" field to the web form on his browser and submits it. The developer probably uses "update_attributes" to process the form, and with default Rails settings it will commit the new "is_special" value to the database (properly sanitized, of course).

    To prevent this, the developer may switch the settings to white-list, and provide a list of safe attributes for mass-assignment (update_attributes being one of the mass-assignment methods). Some people believe white-list mode should be the default settings. The hacker, probably being one of these people, found a great way to make his point that even seasoned Rails developers could use a push towards using white-lists.

  16. He got the results he wanted by Tchaik · · Score: 5, Informative

    At least the message was understood loud and clear... It took a couple of hours and a commit to Rails was made to change the default: https://github.com/rails/rails/commit/641a4f62405cc2765424320932902ed8076b5d38