Pin It
Pages Menu
TwitterRssFacebook
Categories Menu

Posted by on Mar 5, 2012 in Hacking, Infosec | 0 comments

GitHub hacked, millions of projects at risk

Luckily for us Egor Homakov disclosed the vulnerability and attack to the GitHub. According to him anyone with a basic hacker know-how could have performed this attack on one of the world’s largest repository to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others.
GitHub launched in 2008 is based on Linus Torvald’s Git revision, it is a web wrapper to his Git. It has seen a massive growth since its launch outpacing its main competitors like Codeplex, Sourceforge etc and it is free for open source projects. 
GitHub has never been hacked-until now. GitHub uses the Ruby on Rails application framework, and Rails has been weak to what’s known as a mass-assignment vulnerability for years. Basically, Homakov exploited this vulnerability to add his public key to the Rails Project on GitHub, which then meant that GitHub identified him as administrator of the project. From here, he could effectively do anything, including deleting the entire project from the wen; instead he posted a fairly comical commit. GitHub summarily suspended Homakov, fixed the hole, and after “reviewing his activity”, he has been reinstated. 

Ruby experts like Michael Hartl and Eric Chapwekse have been writing (and warning) about the mass-assignment vulnerability since 2008, when GitHub was first launched. It is highly likely that Egot Homokov was not the first person to exploit GitHub in this way, there is a possibility of hackers modifying the codes of any project for their own benefits !!

GitHub has apologized for obfuscating the how white hat hackers should disclose security vulnerabilities and set up a new help page that clearly lists how to report issues.

Homakov’s personal blog has received numerous traffic since the exposure and attack on GitHub.
Follow the link below to see it your self.


The following two tabs change content below.
Indiandragon though Developer, Hacker and Researcher by profession, he aslo writes on Movies, Sports and Entertainment in News@Indiandragon. He specialises in Technology, Defence and Information Security.