March 05, 2012, 10:42 AM —
Egor Homakov found a way to access every GitHub code repository. Did he report the flaw or hack GitHub?
GitHub responded quickly but clumsily, and their version of the hack at "Public Key Security Vulnerability and Mitigation" has been accused of being "hazy truth." So says ChrisAcky in "GitHub and Rails: You have let us all down." The Hacker News forum exploded with new topics on the situation with hundreds of comments, all on a Sunday.
When notified of the exploit, GitHub's weekend staff suspended Homakov's account. They also pointed to a blog entry from the fall of 2008 about this issue, where a hacker could quickly take over any Rails application. This "mass assignment" vulnerability requires the Rails programmer to lock the code for prevention, something not every programmer does. The GitHub folks evidently didn't.
GitHub's heroic response
There is no such thing as a "white attack". If it is an attack, it is an attack. Period.
kikito on chrisacky.posterous.com
Blame the coders
If the dev doesn't know/care about security, then it's his own fault. You have to THINK when you do your apps. Let's be honest. There is difference between doing and doing properly.
Alessandro Dal Grande on chrisacky.posterous.com
Is there any site more appealing to hackers than a repository of millions of lines of code, which is what GitHub is? How long do you think it will be until the next news story of another hack? Put your guess in a comment. Current over / under: one month.