Egor Homakov found a way to access every GitHub code repository. Did he report the flaw or hack GitHub?
GitHub responded quickly but clumsily, and their version of the hack at "Public Key Security Vulnerability and Mitigation" has been accused of being "hazy truth." So says ChrisAcky in "GitHub and Rails: You have let us all down." The Hacker News forum exploded with new topics on the situation with hundreds of comments, all on a Sunday.
When notified of the exploit, GitHub's weekend staff suspended Homakov's account. They also pointed to a blog entry from the fall of 2008 about this issue, where a hacker could quickly take over any Rails application. This "mass assignment" vulnerability requires the Rails programmer to lock the code for prevention, something not every programmer does. The GitHub folks evidently didn't.
Google gives people who find errors rewards. Why not do this to get the crowd to test your code.thomasschaaf on github.com
This is old news search google for mass-assignment - my first hit a rail cast on the very subject of why it is a boon for hackersscubamunki on chrisacky.posterous.com
Worse, ten years ago PHP changed the default behavior after suffering from very similar problemacqq on news.ycombinator.com
Every service provider I use gets a once-a-year-screw-up credit. Github just used theirs.maratd on news.ycombinator.com
I'd rather persuade Egor to work at GitHub, not ban him. Good thing all's (sorta) fine now.mvasilikov on chrisacky.posterous.com
GitHub's heroic response
I appreciate the full disclosure and open communication of the vulnerability and your swift handling of the exploit.zdennis on github.com
There is no such thing as a "white attack". If it is an attack, it is an attack. Period.kikito on chrisacky.posterous.com
I fail to see what GitHub did wrong here. They were attacked, they suspended the account doing the hacking, and they fixed the problem.ericflo on news.ycombinator.com
Blame the coders
If the dev doesn't know/care about security, then it's his own fault. You have to THINK when you do your apps. Let's be honest. There is difference between doing and doing properly.Alessandro Dal Grande on chrisacky.posterous.com
Reporting security flaws is fine. Doing it by demonstration on a live product without asking first is not as fine.yxhuvud on news.ycombinator.com
Is there any site more appealing to hackers than a repository of millions of lines of code, which is what GitHub is? How long do you think it will be until the next news story of another hack? Put your guess in a comment. Current over / under: one month.