Categories: SecurityWorkspace

Disgruntled Member Hacks GitHub

A frustrated hacker who had identified a security flaw in collaborative revision management website GitHub, seized control of its repository over the weekend after the website ignored his warnings about the vulnerability.

Egor Homakov proceeded to submit issues from 1001 years in the future, signing them as Bender, a robot character from a popular sci-fi cartoon Futurama. The website suspended Homakov’s account, but reinstated it following a public outcry. According to GitHub, the vulnerability has been fixed.

“Egor, stop hacking GH”

Homakov discovered a mass-assignment vulnerability that allowed him to gain administrator rights and the ability to execute actions that are off limits for regular customers, such as committing to master, reopening and closing issues in Issue Tracker, or even wiping the entire history of any GitHub project.

He tried several times to notify the website by opening an issue in the rails repository on GitHub, which, despite patching some of the holes, failed to fix the vulnerability. This caused Homakov to resort to more extreme tactics to convince the website that the threat was real.

“Since guys in rails issues ignored me and my issue, I got spare time to test it on the first website I had in mind. GitHub. That was pretty funny,” he he wrote on his blog. “Firstly, I could write post from 1234 year or 4321. Then, I could make a post pretending I am DHH. That was funny too.”

“Then I could wipe any post in any project. That wasn’t that funny but pretty dangerous. It got more curious. Today I can pull/commit/push in any repository on GitHub. Jack pot,” he added. “I will write big post regards this topic – examples (not only GitHub is vulnerable this way – I found a lots of rails apps that are waiting for my hack! Yeah, it is only start). Stay tuned.”

From Russia with LOVE

GitHub responded by rolling out a fix to the vulnerability and suspending Egor’s account. “Security is our priority and I will be arranging additional external security audits above and beyond our normal schedule to further test our security measures and give you peace of mind,” said a spokesman for GitHub.

Homakov’s suspension caused outrage among the users of the site, most of whom sympathised with the ethical hacker, and blamed GitHub for not responding to his comments in a timely fashion. It was recognised that Homakov did not try to damage the website or any projects and had no malicious intent whatsoever.

He later apologised, writing, “Yes I behaved like a jerk. But why you suspended my account? Oh yea, Terms. But, let’s get it real. It is not the way you were supposed to fix things. I, dammit, LOVE YOU.”

In the end, GitHub reinstated Homakov’s account. More importantly, it added a Responsible Disclosure of Security Vulnerabilities policy to its Terms and Conditions to ensure that a similar episode would not repeat in the future. “Thanks, Homakov. You helped make GitHub better,” says one of the comments on Egor’s blog.

How  do you compare against Egor Homakov ? Try our security quiz and find out!

Max Smolaks

Max 'Beast from the East' Smolaks covers open source, public sector, startups and technology of the future at TechWeekEurope. If you find him looking lost on the streets of London, feed him coffee and sugar.

Recent Posts

Hackers Target Australia’s Largest Pension Funds

Multiple pension funds in Australia have been hit in co-ordinated hacking attacks, and unfortunately customers…

11 hours ago

Pentagon Confirms Investigation Of Signal Use By Pete Hegseth

Inspector General at the Pentagon confirms investigation into the use of Signal app by US…

12 hours ago

Amazon Resumes Drone Deliveries In US

After a two month hiatus following crashes of a new drone model, Amazon has resumed…

14 hours ago

Amazon Joins Bidders To Acquire TikTok In US

But will Beijing or ByteDance allow sale? Amazon joins potential bidders for TikTok in US,…

1 day ago

Elon Musk Dismisses Reports Of Imminent Departure From DOGE

Elon Musk dismisses report that Trump told cabinet that he expects Musk to leave his…

1 day ago