GitHub Hacked 202
MrSeb writes "Over the weekend, developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others. GitHub uses the Ruby on Rails application framework, and Rails has been weak to what's known as a mass-assignment vulnerability for years. Basically, Homakov exploited this vulnerability to add his public key to the Rails project on GitHub, which then meant that GitHub identified him as an administrator of the project. From here, he could effectively do anything, including deleting the entire project from the web; instead, he posted a fairly comical commit. GitHub summarily suspended Homakov, fixed the hole, and, after 'reviewing his activity,' he has been reinstated. Homakov could've gained administrative access to the master branch of any project on GitHub and deleted the history, committed junk, or closed or opened tracker tickets."
What no Guantanamo Bay for him? (Score:5, Insightful)
Linux security or trust (Score:0, Insightful)
This lowers the trust of the Linux source a notch. Who can really go over every line of code in the source to make sure someone hasn't already snuck in something malicious years ago?
Although the advantage of open source is that more eyes can go over it.
Strategic software (Score:5, Insightful)
I think it's time to think about repository for strategic software, like Linux, GCC and so on.
Such a hacking can compromise a large part of the internet. Because someone can introduce backdoors, the nasty ones I mean, so deep to evade any check.
distributed (Score:5, Insightful)
Fortunately, git is a distributed version control system, meaning that, usually, there is a copy of the sources and history information elsewhere.
Re:What no Guantanamo Bay for him? (Score:5, Insightful)
Oh wait.. this is an open source community that understood what his intentions where and didn't have a knee jerk reaction.
What I guess intelligence trumps mass panic and ignorance.
You have to realize this isn't some random dude, but a guy "well known" as having an octocat tattoo on his arm...
http://homakov.blogspot.com/2011/07/octocat-tattoo.html [blogspot.com]
The response of 99.9% of humanity: (Score:2, Insightful)
Real Hacker (Score:5, Insightful)
Re:The response of 99.9% of humanity: (Score:5, Insightful)
This is Slashdot, the 99.9% doesn't come here
Re:Strategic software (Score:4, Insightful)
Such a hacking can compromise a large part of the internet. Because someone can introduce backdoors, the nasty ones I mean, so deep to evade any check.
Well, as far as git goes, you can't make changes undetected because all commits are signed and all clones of a repository have the whole history log.
WTF were they smoking? (Score:5, Insightful)
Re:Nice hacker (Score:5, Insightful)
This is NOTHING like lack of sanitizing or SQL injection.
Suppose your object has fields "name" and "is_special", and the web form only exposed "name" because "is_special" isn't supposed to be changed by regular users. The hacker who knows "is_special" exists, adds an "is_special" field to the web form on his browser and submits it. The developer probably uses "update_attributes" to process the form, and with default Rails settings it will commit the new "is_special" value to the database (properly sanitized, of course).
To prevent this, the developer may switch the settings to white-list, and provide a list of safe attributes for mass-assignment (update_attributes being one of the mass-assignment methods). Some people believe white-list mode should be the default settings. The hacker, probably being one of these people, found a great way to make his point that even seasoned Rails developers could use a push towards using white-lists.
Re:Nice hacker (Score:5, Insightful)
This is NOTHING like lack of sanitizing or SQL injection.
Yes, the act of processing user-supplied data in an unintended manner is exactly what "lack of sanitizing" means.
Re:No, that's what you get for using a dying langu (Score:4, Insightful)
If you don't want people to do this:
@user.update_attributes({:favorite_color => 'blue',
You need to do this:
class User < ActiveRecord::Base
attr_protected
end
Re:No, that's what you get for using a dying langu (Score:4, Insightful)
While it's true that it was sloppy coding, it is also true that the default is not really safe - and it probably should be.