GitHub Hacked

MrSeb writes "Over the weekend, developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others. GitHub uses the Ruby on Rails application framework, and Rails has been weak to what's known as a mass-assignment vulnerability for years. Basically, Homakov exploited this vulnerability to add his public key to the Rails project on GitHub, which then meant that GitHub identified him as an administrator of the project. From here, he could effectively do anything, including deleting the entire project from the web; instead, he posted a fairly comical commit. GitHub summarily suspended Homakov, fixed the hole, and, after 'reviewing his activity,' he has been reinstated. Homakov could've gained administrative access to the master branch of any project on GitHub and deleted the history, committed junk, or closed or opened tracker tickets."

That's what you get

[For a Free Internet]

That's what you get when you allow Italians like this guy on America's internet. Don't say I didn't warn you.

The remedy is that we all need to be more proactive about patronizing Wisconsin cheese and California wine.

GitHub hacked

[Anonymous Coward]

So, somebody hacked into a computer system to gain access to open source software. Brilliant.

I felt a great disturbance in the Force

[Anonymous Coward]

...as if millions of voices suddenly cried out from coffee shops in terror and were suddenly pwned. I fear something terrible, and totally predictable, has happened.

Just wait a few years, Ruby on fails will strike back!

Re:The response of 99.9% of humanity:

[project5117]

This is Slashdot, the 99.9% doesn't come here

Slashdot, home of the 0.1%.

Re:That's what you get

[dunkelfalke]

Dude, it is far worse than you imagine. The guy is obviously Russian. The Russians are coming!

Re:Linux security or trust

[pankkake]

Thankfully, no serious projects are hosted on GitHub.

No, that's what you get for using a dying language

[Barbara, not Barbie]

... among other things.

Ruby on Rails - the perfect blend of poor performance (Ruby) and gaping holes (Rails).

irresponsible

[rilian4]

Why do people who gain such knowledge insist on pulling this kind of crap. Why not just attempt to disclose the bug to the site owners and let them fix it. If they refuse, post the info publicly to force their hand. Defacing a project on the site is like a 3 year finding a crayon and looking up and seeing that there's a wall to draw on.

Re:PHP

[DarwinSurvivor]

I'm fairly certain the amount of PHP in your standard Ruby on Rails installation is relatively minor.

Re:Linux? Since when?

[Wraithlyn]

Couldn't resist [quickmeme.com]