Interesting ruby/rails/github crack

13 views
Skip to first unread message

Andy Bach

unread,
Mar 6, 2012, 11:42:37 AM3/6/12
to mad-r...@googlegroups.com
Over the weekend, developer Egor Homakov exploited a gaping
vulnerability in GitHub that allowed him (or anyone else with basic
hacker know-how) to gain administrator access to projects such as Ruby
on Rails, Linux, and millions of others.

GitHub uses the Ruby on Rails application framework, and Rails has
been weak to what’s known as a mass-assignment vulnerability for years

http://www.extremetech.com/computing/120981-github-hacked-millions-of-projects-at-risk-of-being-modified-or-deleted

--

a

Andy Bach,
afb...@gmail.com
608 658-1890 cell
608 261-5738 wk

Jonathan Broad

unread,
Mar 6, 2012, 12:09:20 PM3/6/12
to mad-r...@googlegroups.com
Imma let you finish, but Rails is the most secure web framework of all
time! ALL TIME! :)

But seriously, this was a Github bug, not a Rails 'vulnerability'.
Rails offers mass assignment as a *feature*, which can be used (or
abused) at the developer's discretion.

Egor got impatient with rails-core folk not agreeing with his POV that
this feature should safer by default (by requiring the developer to
affirmatively whitelist attributes to be mass assigned) and decided to
get creative.

Egor was absolutely, positively wrong to do what he did, and Github
was right to treat him in the immediate aftermath of his
'demonstration' as a threat. However, it was quickly clear that Egor
meant no harm and so he was reinstated (once his improper privileges
were removed). The speed and effectiveness of Github's response was
absolutely extraordinary in my opinion, and greatly increased the
already considerable amount of respect I have for them.

I also think Egor was also basically *right* that the default is too
insecure, so... point made! A 'fix' to the defaults was merged into
Rails by Sunday afternoon. Doesn't justify the means, though--I mean,
that's ethics 101, right?

I just wanted to clear that up because there was a *lot* of FUD
floating around (that article you linked to is OK though). I think
the way Github and the Rails community responded is exactly why Github
is such a great company and Rails is such a strong framework.

Cheers,
Jonathan

--
Jonathan Broad
VP of Application Development
Getty Images, Inc.

> --
> You received this message because you are subscribed to the Google Groups "Mad Railers, the Madison, WI Ruby on Rails Users Group" group.
> To visit the Madison Rails Home page, go to http://madisonrails.com/
> To post to this group, send email to Mad-R...@googlegroups.com
> To unsubscribe from this group, send email to Mad-Railers...@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/Mad-Railers?hl=en

Robert Kaufman

unread,
Mar 6, 2012, 12:15:20 PM3/6/12
to mad-r...@googlegroups.com
I 100% agree with everything Jonathan stated here and feel like he did a wonderful job of stating it.

Best,
Rob

Bradley Grzesiak

unread,
Mar 6, 2012, 12:18:43 PM3/6/12
to mad-r...@googlegroups.com
With the power vested in me by absolutely no one, I hereby award JB 3 internets.

:brad
Bradley Grzesiak
co-founder, bendyworks llc
http://bendyworks.com/

Andy Bach

unread,
Mar 6, 2012, 12:39:46 PM3/6/12
to mad-r...@googlegroups.com
On Tue, Mar 6, 2012 at 11:18 AM, Bradley Grzesiak <br...@bendyworks.com> wrote:
> I hereby award JB 3 internets.

It was interesting to go to the commit and then read the comments
thread - interesting place, that github (the fellow who did the hack
has the Octocat as a tatoo? Or did I miss the sarcasm font?).

As the situation has been talked about since '08 ... there's enough
oops to go around.

Veezus Kreist

unread,
Mar 6, 2012, 12:48:03 PM3/6/12
to mad-r...@googlegroups.com
He said in a tweet that the tattoo was a temporary henna tattoo. I hope so - it's terrible looking. :)

Reply all
Reply to author
Forward
0 new messages