GitHub hacked, coder conflicts grow

GitHub cat pumpkin carving
Credit: flickr/qrush

Egor Homakov found a way to access every GitHub code repository. Did he report the flaw or hack GitHub?

GitHub responded quickly but clumsily, and their version of the hack at "Public Key Security Vulnerability and Mitigation" has been accused of being "hazy truth." So says ChrisAcky in "GitHub and Rails: You have let us all down." The Hacker News forum exploded with new topics on the situation with hundreds of comments, all on a Sunday.

When notified of the exploit, GitHub's weekend staff suspended Homakov's account. They also pointed to a blog entry from the fall of 2008 about this issue, where a hacker could quickly take over any Rails application. This "mass assignment" vulnerability requires the Rails programmer to lock the code for prevention, something not every programmer does. The GitHub folks evidently didn't.

GitHub fail

Google gives people who find errors rewards. Why not do this to get the crowd to test your code.

thomasschaaf on

This is old news search google for mass-assignment - my first hit a rail cast on the very subject of why it is a boon for hackers

scubamunki on

Worse, ten years ago PHP changed the default behavior after suffering from very similar problem

acqq on

Every service provider I use gets a once-a-year-screw-up credit. Github just used theirs.

maratd on

I'd rather persuade Egor to work at GitHub, not ban him. Good thing all's (sorta) fine now.

mvasilikov on

GitHub's heroic response

I appreciate the full disclosure and open communication of the vulnerability and your swift handling of the exploit.

zdennis on

There is no such thing as a "white attack". If it is an attack, it is an attack. Period.

kikito on

I fail to see what GitHub did wrong here. They were attacked, they suspended the account doing the hacking, and they fixed the problem.

ericflo on

Blame the coders

If the dev doesn't know/care about security, then it's his own fault. You have to THINK when you do your apps. Let's be honest. There is difference between doing and doing properly.

Alessandro Dal Grande on

Reporting security flaws is fine. Doing it by demonstration on a live product without asking first is not as fine.

yxhuvud on

Is there any site more appealing to hackers than a repository of millions of lines of code, which is what GitHub is? How long do you think it will be until the next news story of another hack? Put your guess in a comment. Current over / under: one month.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon