A frustrated hacker who had identified a security flaw in collaborative revision management website GitHub, seized control of its repository over the weekend after the website ignored his warnings about the vulnerability.
Egor Homakov proceeded to submit issues from 1001 years in the future, signing them as Bender, a robot character from a popular sci-fi cartoon Futurama. The website suspended Homakov’s account, but reinstated it following a public outcry. According to GitHub, the vulnerability has been fixed.
Homakov discovered a mass-assignment vulnerability that allowed him to gain administrator rights and the ability to execute actions that are off limits for regular customers, such as committing to master, reopening and closing issues in Issue Tracker, or even wiping the entire history of any GitHub project.
“Since guys in rails issues ignored me and my issue, I got spare time to test it on the first website I had in mind. GitHub. That was pretty funny,” he he wrote on his blog. “Firstly, I could write post from 1234 year or 4321. Then, I could make a post pretending I am DHH. That was funny too.”
“Then I could wipe any post in any project. That wasn’t that funny but pretty dangerous. It got more curious. Today I can pull/commit/push in any repository on GitHub. Jack pot,” he added. “I will write big post regards this topic – examples (not only GitHub is vulnerable this way – I found a lots of rails apps that are waiting for my hack! Yeah, it is only start). Stay tuned.”
GitHub responded by rolling out a fix to the vulnerability and suspending Egor’s account. “Security is our priority and I will be arranging additional external security audits above and beyond our normal schedule to further test our security measures and give you peace of mind,” said a spokesman for GitHub.
Homakov’s suspension caused outrage among the users of the site, most of whom sympathised with the ethical hacker, and blamed GitHub for not responding to his comments in a timely fashion. It was recognised that Homakov did not try to damage the website or any projects and had no malicious intent whatsoever.
He later apologised, writing, “Yes I behaved like a jerk. But why you suspended my account? Oh yea, Terms. But, let’s get it real. It is not the way you were supposed to fix things. I, dammit, LOVE YOU.”
In the end, GitHub reinstated Homakov’s account. More importantly, it added a Responsible Disclosure of Security Vulnerabilities policy to its Terms and Conditions to ensure that a similar episode would not repeat in the future. “Thanks, Homakov. You helped make GitHub better,” says one of the comments on Egor’s blog.
How do you compare against Egor Homakov ? Try our security quiz and find out!
Welcome to Silicon UK: AI for Your Business Podcast. Today, we explore how AI can…
Japanese tech investment firm SoftBank promises to invest $100bn during Trump's second term to create…
Synopsys to work with start-up SiMa.ai on joint offering to help accelerate development of AI…
Start-up Basis raises $34m in Series A funding round for AI-powered accountancy agent to make…
Data analytics and AI start-up Databricks completes huge $10bn round from major venture capitalists as…
Congo files legal complaints against Apple in France, Belgium alleging company 'complicit' in laundering conflict…