Github, the popular code sharing site, suffered a major security exploit today when an unauthorized user pushed a commit to the Ruby on Rails project. The problem appears to be a flaw in Ruby on Rails, which is not just hosted by Github but is used to run Github. Github is currently auditing its code base to ensure that the vulnerability is fixed and that no other repositories were altered.
You can find Github’s statement here.
Chris Acky has more details on what happened. Acky writes that “Every GitHub repository was vulnerable to attack and absolutely nothing was safe.”
Further, Acky writes that the user responsible for the hack, Egor Homokov, reported the issue to the Rails team and had his issue closed. “After discussing the issue, the conclusion was that this isn’t an issue in Rails, and that it’s up to the developer to secure his code, not Rails.”
Acky also criticizes Github’s handling of the issue:
Your post-mortem report, titled “Public Key Security Vulernability and Mitigation” is a hazy truth of what actually happened. The title is a clear misnomer, or in the least red-herring, because while this might have now been patched, we also don’t know of how many other people knew of this vulnerability. Additionally, companies like Google, Firefox, and Facebook, all have bug hunt bounties where they reward people who discover exploits.
Instead, the reward you landed to @homokov is a suspension. Homokov found a vulnerability in a project used by hundreds of thousands of applications, and his issue is ignored. The liklihood of this vulnerability reaching the ears of developers everywhere is extremely low and Rails clearly weren’t taking it seriously. So instead he demonstrates the vulnerabilty in an attack which is clearly the “whitest” of white, and gets a suspension.
There’s much discussion on community sites like Hacker News about whether Homokov was treated fairly by Github. Here are some sample comments from this thread, presumably before Github respored Homokov’s account:
I have lost all trust in GitHub, and not because of the vulnerability, but because of their response. With their suspension of hamakov’s account and deceptive blog post about the extent of the hole, GitHub has guaranteed that they won’t be the first to know about the next vulnerability (and there’s always another).
It’s sort of a sticky situation. My take on it wasn’t that this was so much to screw with GitHub as it was to show the Rails team the true severity of an issue they downplayed. It gets a bit circuitous because Rails is hosted on GitHub and GitHub is a Rails app. Had he reported it to GitHub and they patched it, which is arguably the proper thing to have done, nothing would have happened on the Rails side of the equation. All told, I think he did the right thing.
I just moved my prive repo to bitbucket hoping that Atlassian would have handled this issue better. At least they seem to have more experience looking at their long history in software. I will also look into setting up my own git(orious) server.
I would disagree with this, quite a lot. He brought up an issue with the Rails team, they pointed him at the canonical, “here is where we talked about this before, sorry.” Still not satisfied, he found the same exploit in Github to prove a point. Rather than do the sensible thing by creating a dummy account and contacting Github showing how he messed things up, he barged into the Rails organization and left a silly commit. Github is first and foremost a business organization where lots of companies pay them lots of money to “take this shit seriously” and protect their data, so they did the right thing by shutting him down.