GitHub Hacked 202
MrSeb writes "Over the weekend, developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others. GitHub uses the Ruby on Rails application framework, and Rails has been weak to what's known as a mass-assignment vulnerability for years. Basically, Homakov exploited this vulnerability to add his public key to the Rails project on GitHub, which then meant that GitHub identified him as an administrator of the project. From here, he could effectively do anything, including deleting the entire project from the web; instead, he posted a fairly comical commit. GitHub summarily suspended Homakov, fixed the hole, and, after 'reviewing his activity,' he has been reinstated. Homakov could've gained administrative access to the master branch of any project on GitHub and deleted the history, committed junk, or closed or opened tracker tickets."
Re:What no Guantanamo Bay for him? (Score:5, Interesting)
The devs were notified and ignored it (Score:5, Interesting)
Apparently GitHub's own admin isn't "pro" enough...
Re:Strategic software (Score:4, Interesting)
I think the use of Git makes it pretty safe to begin with.
If someone gained access to do commits to what people consider as the "master" repo, any tampering would have to be done at the head because of all the hashes.
Hopefully the maintainer would realize this the next time they go to push to it Git would tell them that the remote is ahead of them by X commits.
In the case of Linux, I think Linus is the only one who pushes to the master branch, so he would notice.
Re:GitHub hacked (Score:4, Interesting)
If you can't imagine a way that unfettered access to *alter* an exceptionally popular piece of software, virtually undetected
I can't imagine a way to do that with git. Sorry, its just pretty hard to do, especially "virtually undetected". git just doesn't work that way. Probably a hell of a lot easier and more likely to succeed and frankly cheaper to get commit rights "the right way" and then sneak in 100 perfectly legit real world commits and just one with an intentional bug or issue or whatever. Now, if by "... alter ... popular ... software.." you mean something like modify the github site and user provided data itself to point to some images on some .ru domain that include yet another drive by MSIE exploit, sure that could probably have been done. But the git hosted projects are basically safe, assuming anyone is actually using them.
Which brings up an interesting attack vector, if you find generic abandoned mp3 player number 2352 on sf or github and "take it over" by whatever means, then you could put weird stuff into it without anyone noticing since no one git pulls it. This could be a problem.
Re:The devs were notified and ignored it (Score:5, Interesting)