GitHub hacked, coder conflicts grow

GitHub responded quickly but clumsily, and their version of the hack at "Public Key Security Vulnerability and Mitigation" has been accused of being "hazy truth." So says ChrisAcky in "GitHub and Rails: You have let us all down." The Hacker News forum exploded with new topics on the situation with hundreds of comments, all on a Sunday.

When notified of the exploit, GitHub's weekend staff suspended Homakov's account. They also pointed to a blog entry from the fall of 2008 about this issue, where a hacker could quickly take over any Rails application. This "mass assignment" vulnerability requires the Rails programmer to lock the code for prevention, something not every programmer does. The GitHub folks evidently didn't.

GitHub fail

Google gives people who find errors rewards. Why not do this to get the crowd to test your code.

thomasschaaf on github.com

This is old news search google for mass-assignment - my first hit a rail cast on the very subject of why it is a boon for hackers

scubamunki on chrisacky.posterous.com

Worse, ten years ago PHP changed the default behavior after suffering from very similar problem

acqq on news.ycombinator.com

Every service provider I use gets a once-a-year-screw-up credit. Github just used theirs.

maratd on news.ycombinator.com

I'd rather persuade Egor to work at GitHub, not ban him. Good thing all's (sorta) fine now.

mvasilikov on chrisacky.posterous.com

GitHub's heroic response

I appreciate the full disclosure and open communication of the vulnerability and your swift handling of the exploit.

zdennis on github.com

There is no such thing as a "white attack". If it is an attack, it is an attack. Period.

kikito on chrisacky.posterous.com

I fail to see what GitHub did wrong here. They were attacked, they suspended the account doing the hacking, and they fixed the problem.

ericflo on news.ycombinator.com

Blame the coders

If the dev doesn't know/care about security, then it's his own fault. You have to THINK when you do your apps. Let's be honest. There is difference between doing and doing properly.

Alessandro Dal Grande on chrisacky.posterous.com

Reporting security flaws is fine. Doing it by demonstration on a live product without asking first is not as fine.

yxhuvud on news.ycombinator.com

Is there any site more appealing to hackers than a repository of millions of lines of code, which is what GitHub is? How long do you think it will be until the next news story of another hack? Put your guess in a comment. Current over / under: one month.

Posted in: news