Ethical hacker warned about vulnerability, then used it himself
A frustrated hacker who had identified a security flaw in collaborative revision management website GitHub, seized control of its repository over the weekend after the website ignored his warnings about the vulnerability.
Egor Homakov proceeded to submit issues from 1001 years in the future, signing them as Bender, a robot character from a popular sci-fi cartoon Futurama. The website suspended Homakov’s account, but reinstated it following a public outcry. According to GitHub, the vulnerability has been fixed.
“Egor, stop hacking GH”
Homakov discovered a mass-assignment vulnerability that allowed him to gain administrator rights and the ability to execute actions that are off limits for regular customers, such as committing to master, reopening and closing issues in Issue Tracker, or even wiping the entire history of any GitHub project.
He tried several times to notify the website by opening an issue in the rails repository on GitHub, which, despite patching some of the holes, failed to fix the vulnerability. This caused Homakov to resort to more extreme tactics to convince the website that the threat was real.
“Since guys in rails issues ignored me and my issue, I got spare time to test it on the first website I had in mind. GitHub. That was pretty funny,” he he wrote on his blog. “Firstly, I could write post from 1234 year or 4321. Then, I could make a post pretending I am DHH. That was funny too.”
“Then I could wipe any post in any project. That wasn’t that funny but pretty dangerous. It got more curious. Today I can pull/commit/push in any repository on GitHub. Jack pot,” he added. “I will write big post regards this topic – examples (not only GitHub is vulnerable this way – I found a lots of rails apps that are waiting for my hack! Yeah, it is only start). Stay tuned.”
From Russia with LOVE
GitHub responded by rolling out a fix to the vulnerability and suspending Egor’s account. “Security is our priority and I will be arranging additional external security audits above and beyond our normal schedule to further test our security measures and give you peace of mind,” said a spokesman for GitHub.
Homakov’s suspension caused outrage among the users of the site, most of whom sympathised with the ethical hacker, and blamed GitHub for not responding to his comments in a timely fashion. It was recognised that Homakov did not try to damage the website or any projects and had no malicious intent whatsoever.
He later apologised, writing, “Yes I behaved like a jerk. But why you suspended my account? Oh yea, Terms. But, let’s get it real. It is not the way you were supposed to fix things. I, dammit, LOVE YOU.”
In the end, GitHub reinstated Homakov’s account. More importantly, it added a Responsible Disclosure of Security Vulnerabilities policy to its Terms and Conditions to ensure that a similar episode would not repeat in the future. “Thanks, Homakov. You helped make GitHub better,” says one of the comments on Egor’s blog.
How do you compare against Egor Homakov ? Try our security quiz and find out!