Home » Security » Hacking & Cracking » Over Weekend, GitHub hacked with Ruby on Rails public key vulnerability

Over Weekend, GitHub hacked with Ruby on Rails public key vulnerability

Github, the service that many professional programmers use to store their work and collaborate on coding, was hacked over the weekend. A young Russian developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others.

When Github saw what happened, they suspended Homakov’s account, which created a firestorm of protest. A blog post entitled, Github, You Have Let Us All Down. Github has succumbed to a public key vulnerability in Ruby on Rails allowing a user administrator access to the popular Rails Git. Homakov’s actions were relatively simple – he merely uploaded his public key to the repository so Git thought he was an approved administrator of that project. This would not only entitle Homakov to commit files but he could effectively wipe the entire project and its history clean.

“The root cause of the vulnerability was a failure to properly check incoming form parameters, a problem known as the mass-assignment vulnerability,” GitHub co-founder Tom Preston-Werner wrote in a blog post.

“Two days ago he responsibly disclosed a security vulnerability to us and we worked with him to fix it in a timely fashion. Today, he found and exploited the public key form update vulnerability without responsible disclosure,” Preston-Werner said, explaining that this had meant Homakov had broken GitHub’s terms and conditions.

Github is used by a number of high-profile projects including the Linux kernel. Homakev’s actions were to exploit a well known weakness of Ruby on Rails and questions might be asked as to why Github’s administrators did not block such an attack sooner.

Moving forward, GitHub has apologized for obfuscating the how white hat hackers should disclose security vulnerabilities and set up a new help page that clearly lists how to report issues.

About Azam

Azam is a professional blogger, SEO and a web developer. He loves to play with free and open source software and works with it as a part of his hobby. Don't forget to FOLLOW me on my twitter or add My Google+ to your circle. "Please leave your comment, vote my site, rate post, or share it. Like our Facebook page to get the most recent updates.

Check Also

Futuristic Technology Expected Coming in 2015 and Beyond

When you’re looking for the coolest, most science-fictiony tech out there, it’s not always a …

Leave a Reply

Your email address will not be published. Required fields are marked *

*