Forgot your password?
typodupeerror
Security Software Technology

GitHub Hacked 202

Posted by samzenpus
from the crack-in-the-wall dept.
MrSeb writes "Over the weekend, developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others. GitHub uses the Ruby on Rails application framework, and Rails has been weak to what's known as a mass-assignment vulnerability for years. Basically, Homakov exploited this vulnerability to add his public key to the Rails project on GitHub, which then meant that GitHub identified him as an administrator of the project. From here, he could effectively do anything, including deleting the entire project from the web; instead, he posted a fairly comical commit. GitHub summarily suspended Homakov, fixed the hole, and, after 'reviewing his activity,' he has been reinstated. Homakov could've gained administrative access to the master branch of any project on GitHub and deleted the history, committed junk, or closed or opened tracker tickets."
This discussion has been archived. No new comments can be posted.

GitHub Hacked

Comments Filter:
  • by For a Free Internet (1594621) on Monday March 05, 2012 @10:25AM (#39247191)

    That's what you get when you allow Italians like this guy on America's internet. Don't say I didn't warn you.

    The remedy is that we all need to be more proactive about patronizing Wisconsin cheese and California wine.

  • by stillpixel (1575443) on Monday March 05, 2012 @10:25AM (#39247193) Homepage Journal
    Oh wait.. this is an open source community that understood what his intentions where and didn't have a knee jerk reaction. What I guess intelligence trumps mass panic and ignorance.
    • by vlm (69642) on Monday March 05, 2012 @10:37AM (#39247331)

      Oh wait.. this is an open source community that understood what his intentions where and didn't have a knee jerk reaction.
      What I guess intelligence trumps mass panic and ignorance.

      You have to realize this isn't some random dude, but a guy "well known" as having an octocat tattoo on his arm...

      http://homakov.blogspot.com/2011/07/octocat-tattoo.html [blogspot.com]

      • by timeOday (582209) on Monday March 05, 2012 @10:47AM (#39247427)
        The real question is whether other more nefarious individuals preceded him undetected.
        • by TheNinjaroach (878876) on Monday March 05, 2012 @12:15PM (#39248725)
          Because of its distributed and decentralized nature, it would be very difficult to sneak any changes into a project or its history undetected. Every other copy of the project repo will begin screaming "foul play" when their developers try to sync.
          • by makomk (752139)

            Not really. Suppose you sneak in a boring-sounding commit from one of the core developers of a project. That developer probably won't notice because it's lost amongst the other commits, and even though no-one else will be able to push changes until they merge the malicious commit into their own copies, that's so common in a multi-user repository that all the developers will probably do it without a moment's hesitation.

          • Don't think github. Think about other interesting Ruby on Rails sites. Suppose you could access them all quiet-like. For a longgg time. For example: 1: Basecamp 2: Twitter 3: Hulu 4: Groupon 5: Justin.tv 6: Shopify 7: Campfire 8: Penny Arcade 9: Guitar Hero 10: Wayfaring (from a 2011 top-ten list of RR sites: http://www.railshosting.org/the-top-10-sites-built-with-ruby-on-rails [railshosting.org] )

            Based on TFA I thought the hack was more about a default flaw with Ruby on Rails key signing, not anything that was specific
      • by Anonymous Coward

        So an octocat tattoo will protect people from being detailed without trial in Guantanamo Bay?

        • by vlm (69642)

          For those who don't get the "joke" he's about as close to being an insider as a outsider can be.
          It would be kind of like Alan Cox posting a GIT commit in the 3.0 series using Linus's account for April Fools Day, although thats technically wrong, no ones going to freak out, or at least his odds of waterboarding are no greater than any other random innocent civilian, in other words too high in an absolute sense, but in a relative sense pretty low odds... Actually putting this in writing probably ruins the ch

      • The very page you linked to quotes him as saying it's fake.
    • by pinfall (2430412)

      Oh wait.. this is an open source community that understood what his intentions where and didn't have a knee jerk reaction. What I guess intelligence trumps mass panic and ignorance.

      Incorrect assumption. Although there is a passive, appreciate communiy behind such an effort, you will see a joint effort by Italian, European and American authorities to eliminate this violation. Start with international wire fraud, malicious intent to harm, and move down the list to sopa-like attrocities such as violating terms of a website and you've got life in prison. Give them 5 more years of legislation and we'll have Texas-style hangings for these incredibly threatening comical hackers.

      I heard a

    • by abigor (540274)

      Oh wait.. this is an open source community that understood what his intentions where and didn't have a knee jerk reaction.
      What I guess intelligence trumps mass panic and ignorance.

      That's exactly wrong. GH freaked out and banned his account after the Rails team repeatedly closed his bug reports. This story has been on Hacker News for a while now, so you can head there for the full story. His account was eventually reinstated after it was made clear to GH that they behaved poorly.

      • by cnvandev (1538055)
        Not exactly - he was suspended while they investigated the incident, not when he reported the bug. As they explained on their blog yesterday [github.com], their standard procedure is to suspend accounts that get into this kind of thing until they investigate the incident to see if there was anything malicious happening. They determined there wasn't so they reactivated his account. I'd say GitHub handled the situation excellently.
  • Well this is an ironic situation. Good thing he had good intentions lol. I find it funny that since this guy hacked github and they fixed it. But seriously, shouldn't people hire hackers like him to make projects move faster ? l Sincerely believe that if they "work" together, projects would move faster for sure lol.
    • Re:Nice hacker (Score:5, Informative)

      by vlm (69642) on Monday March 05, 2012 @10:45AM (#39247405)

      I find it funny that since this guy hacked github

      See that's the problem. He didn't hack github. There is a wide open door in scaffolded rails apps. I am somewhat involved in rails development and even I know this, but "most people don't care". The problem in as few words as possible is a lack of input sanitation and/or more or less is the equivalent of allowing SQL injection. Makes for easy scaffolding and rollout. All you need to do is tell rails which attributes people should and should not be able to F with, which is trivially easy and impossible to default without turning rails into a fully cognitive AI system smarter than the programmers who refuse to declare which attributes are sensitive and which are not....

      The phrases you don't know to google for are "mass assignment protection" and attr_accessible and attr_protected

      http://enlightsolutions.com/articles/whats-new-in-edge-scoped-mass-assignment-in-rails-3-1 [enlightsolutions.com]

      • Re:Nice hacker (Score:5, Insightful)

        by NonUniqueNickname (1459477) on Monday March 05, 2012 @11:31AM (#39248055)

        This is NOTHING like lack of sanitizing or SQL injection.

        Suppose your object has fields "name" and "is_special", and the web form only exposed "name" because "is_special" isn't supposed to be changed by regular users. The hacker who knows "is_special" exists, adds an "is_special" field to the web form on his browser and submits it. The developer probably uses "update_attributes" to process the form, and with default Rails settings it will commit the new "is_special" value to the database (properly sanitized, of course).

        To prevent this, the developer may switch the settings to white-list, and provide a list of safe attributes for mass-assignment (update_attributes being one of the mass-assignment methods). Some people believe white-list mode should be the default settings. The hacker, probably being one of these people, found a great way to make his point that even seasoned Rails developers could use a push towards using white-lists.

        • Re:Nice hacker (Score:5, Insightful)

          by TheNinjaroach (878876) on Monday March 05, 2012 @12:18PM (#39248789)

          This is NOTHING like lack of sanitizing or SQL injection.

          Yes, the act of processing user-supplied data in an unintended manner is exactly what "lack of sanitizing" means.

          • Re:Nice hacker (Score:4, Informative)

            by vlm (69642) on Monday March 05, 2012 @01:53PM (#39250389)

            Also, the process of carefully crafting weird http traffic to insert unexpected things is exactly the process for SQL injection, except obviously strange non-developer intended attributes are being inserted instead of "sql EOL character followed by big sql fun" from a classic sql injection attack. Its a very close analogy... The meta-rule that both specific rules lives under is if you're depending on the general internet public to send you something, you can expect someone out there to send you some absolutely crazy stuff and you better be prepared for absolutely anything. If you're not planning on getting UTF-16 encoded XML with embedded COBOL source code for an Intercal interpreter, there's someone in China coding it up right now, so you better get ready for it...

            His alternative way to describe how it works and at least one way to avoid it was pretty good, regardless of his analogy analysis skills... I though "as few words as possible" and "more or less the equivalent" was about as wishy washy as I could be when tossing an analogy out there. True, I may have a low /. UID, but I wasn't exactly Moses reading the commandments off the tablets there... And if I was I'd have better commandments than this one...

            • I was thinking sanitation as in string sanitation and SQL injection as in '); drop table students; --. Thanks for pointing out the bigger picture, TheNinjaroach, vlm. I retract the word "NOTHING" from my previous post.

        • I've barely worked with Rails, but from what you're describing, isn't this bug somewhat like the security problems with register_globals [php.net] in PHP, which started defaulting to "off" almost a decade ago?

          Everything old is new again...

  • Strategic software (Score:5, Insightful)

    by aglider (2435074) on Monday March 05, 2012 @10:29AM (#39247247) Homepage

    I think it's time to think about repository for strategic software, like Linux, GCC and so on.
    Such a hacking can compromise a large part of the internet. Because someone can introduce backdoors, the nasty ones I mean, so deep to evade any check.

    • by cr_nucleus (518205) on Monday March 05, 2012 @11:06AM (#39247605)

      Such a hacking can compromise a large part of the internet. Because someone can introduce backdoors, the nasty ones I mean, so deep to evade any check.

      Well, as far as git goes, you can't make changes undetected because all commits are signed and all clones of a repository have the whole history log.

      • by lindi (634828)
        Are all commits really signed? I though you could only sign tags.
        • by mortonda (5175)

          Yes, the id of every commit is a cryptographic hash of the contents of that commit, which inherently includes the state before it; if you tried to insert a commit in the middle of the commit tree, all the id's would change, or not compute... Hard to say what would happen, because it just won't work. The tools would all scream at you. It would be very obvious, if it could even be done.

          They may not all be "signatures" in the sense of identifying who committed it, but it *does* validate the consistency of th

    • by FunkyELF (609131) on Monday March 05, 2012 @11:07AM (#39247629)

      I think the use of Git makes it pretty safe to begin with.
      If someone gained access to do commits to what people consider as the "master" repo, any tampering would have to be done at the head because of all the hashes.
      Hopefully the maintainer would realize this the next time they go to push to it Git would tell them that the remote is ahead of them by X commits.
      In the case of Linux, I think Linus is the only one who pushes to the master branch, so he would notice.

  • distributed (Score:5, Insightful)

    by StripedCow (776465) on Monday March 05, 2012 @10:34AM (#39247307)

    Fortunately, git is a distributed version control system, meaning that, usually, there is a copy of the sources and history information elsewhere.

    • This informative and highly-modded comment appears to be lost on so many other highly-modded (but incorrect) posts.
    • by makomk (752139)

      It's also used for distributed development, which means that usually all the copies of the source and history information have pulled from the upstream GitHub repository and will contain any malicious code that was committed to it.

  • by Anonymous Coward on Monday March 05, 2012 @10:35AM (#39247311)

    ...as if millions of voices suddenly cried out from coffee shops in terror and were suddenly pwned. I fear something terrible, and totally predictable, has happened.

    Just wait a few years, Ruby on fails will strike back!

  • he could have added a one character integer overflow to net/ipv4/tcp_input.c
    • by tuffy (10202)

      Which would be noticed the next time anyone does a push to the repository. There'd be an unexpected non-fast-forward push, and git would force developers to deal with it by default.

  • What's GitHub?
  • Real Hacker (Score:5, Insightful)

    by stanlyb (1839382) on Monday March 05, 2012 @10:39AM (#39247355)
    This guy is very good example of what the real hacker is, and what they should be. Kudos man.
  • That could've gone a lot worse...and to think many stupid countries are trying to make such benevolent activities illegal.

  • by dnwq (910646) on Monday March 05, 2012 @11:01AM (#39247545)
    The best thing is this comment by a developer closing Homakov's original bug report [github.com], two days before Homakov hacked in:

    fxn commented 3 days ago

    There was a proposal about changing that flag in #4062 and the consensus is the pros of the default configuration outweigh the pros of the alternative.

    Thanks!

    Apparently GitHub's own admin isn't "pro" enough...

    • by MadKeithV (102058)

      Apparently GitHub's own admin isn't "pro" enough...

      I tried reading that thread but the language is convoluted and I know next-to-nothing about rails - am I reading it right - the devs were essentially saying "pro users know how to secure their installs!" and then got pwned themselves with the exact hack that Homakov had reported?

      • by dnwq (910646) on Monday March 05, 2012 @11:29AM (#39248031)
        Not precisely right: the devs were saying "good users know how to secure their installs" and then Homakov demonstrated just how untrue this was by breaking into what is probably the world's most important and professionally-run Ruby on Rails server, i.e., GitHub. That Rails itself is hosted on GitHub just makes it funnier.
      • am I reading it right - the devs were essentially saying "pro users know how to secure their installs!" and then got pwned themselves with the exact hack that Homakov had reported?

        You're reading it right. And he actually had to blatantly pwn them repeatedly before they would deign to take notice, and even then they didn't do anything abou it until they got ridiculed across the entire Internet.

        Makes the (broken) PHP development community look relatively sane.

  • by miketheanimal (914328) on Monday March 05, 2012 @11:26AM (#39247989)
    OK, the blog is slashdot'd at the moment, but lets see if I have this right. Basically, you take an active record and just copy values from the POST data into it and then save it ... and this is the default behaviour? Do I have that right because, is so .... .... dear god, what were the ruby-on-rails people smoking when they thought that was a clever idea, its puts ROR on a level with PHP and its magic global variables. Note only that, but what were the github people smoking, the same? Using an insane facility is doubly insane. Methinks a lot of people need to go and read some web design stuff and realise that active records (or models - django users take not) are not synonymous with the "Model" (business logic) in MVC.
    • by gl4ss (559668) on Monday March 05, 2012 @12:58PM (#39249505) Homepage Journal

      Pardon some of my ignorance but isn't the point of using "smart" frameworks that you wouldn't need to worry about that stuff since the framework should _know_ what parameters it's asking the users browser to submit?

      surely there has to be a framework designed with that in mind? "serve the user this blabla page that has these blabla input boxes"-> from the response just read those.

      seems that rails(and how github was using it) was moving business logic to random users computers and effectively taking them as a trusted part of the system? maybe the devs should spend more time playing online games and seeing crack cheaters.

      • by psydeshow (154300)

        Pardon some of my ignorance but isn't the point of using "smart" frameworks that you wouldn't need to worry about that stuff since the framework should _know_ what parameters it's asking the users browser to submit?

        surely there has to be a framework designed with that in mind? "serve the user this blabla page that has these blabla input boxes"-> from the response just read those.

        seems that rails(and how github was using it) was moving business logic to random users computers and effectively taking them as a trusted part of the system? maybe the devs should spend more time playing online games and seeing crack cheaters.

        As I understand it, Rails isn't taking just any fields that a user submits. It's actually checking the fields against the model and only assigning the ones it recognizes. So yeah, it "knows" the parameters it is seeing and they are all valid so we're good to go.

        Except that there are fields in any model that the user *shouldn't* be able to change via form. And lo, there is a mechanism in Rails to flag those fields in the model so that this sort of things doesn't happen: attr_accessible flags.

        But attr_accessi

        • by AlXtreme (223728)

          Except that there are fields in any model that the user *shouldn't* be able to change via form. And lo, there is a mechanism in Rails to flag those fields in the model so that this sort of things doesn't happen: attr_accessible flags.

          Madness... when defining the form you explicitly define which attributes of the model may be submitted and modified and everything else is ignored. Forms should be the filter between the crap a user may submit and your precious model.

          Django does this right in my eyes: allowed a

  • by Tchaik (21417) on Monday March 05, 2012 @11:50AM (#39248351) Homepage
    At least the message was understood loud and clear... It took a couple of hours and a commit to Rails was made to change the default: https://github.com/rails/rails/commit/641a4f62405cc2765424320932902ed8076b5d38 [github.com]
  • by rilian4 (591569)
    Why do people who gain such knowledge insist on pulling this kind of crap. Why not just attempt to disclose the bug to the site owners and let them fix it. If they refuse, post the info publicly to force their hand. Defacing a project on the site is like a 3 year finding a crayon and looking up and seeing that there's a wall to draw on.
  • When did Microsoft and Oracle start doing Open Source maintenance? Or did the GitHub team download their development principles and follow those instead of doing security reviews?

    Both Microsoft and Oracle are notorious for leaving reported bugs open for years unless someone demonstrates an effective exploit using the bug. But historically, Open Source projects have taken such risks seriously and closed the holes long before an exploit showed up.

    To me, that "constant maintenance" aspect of open source

  • To calm any fears that no rogue commits have been added as a result of this hack?

    Is git log enough and looking at the last datetime stamp?

HOST SYSTEM NOT RESPONDING, PROBABLY DOWN. DO YOU WANT TO WAIT? (Y/N)

Working...