GitHub, the popular code repository, was hacked yesterday by one of its members who was displeased with the fact that no one took seriously one of the vulnerabilities he identified in Rails.
According to ZDNet, Russian programmer Egor Homakov informed Rails of a mass assignment vulnerability that left most applications exposed to ill-intended hackers, but Rails representatives claimed that the flaw was not in their software.
Since GitHub was partly developed in Ruby on Rails, certain sections of the website were also found to be weak by the soon-to-become hacker.
Homakov disclosed this information to GitHub and they collaborated on addressing the issues. However, two days later, the programmer found that the site’s administrators didn’t patch up all the security holes so he decided to exploit them.
A public key form update vulnerability allowed him to gain administrator rights and perform a lot of actions that are off limits for regular customers.
“That was pretty funny. Firstly, I could write post from 1234 year or 4321. Then, I could make a post pretending i am DHH. That was funny too. Then I could wipe any post in any project. That wasn’t that funny but pretty dangereous,” Homakov wrote on his blog.
GitHub “expunged” the unauthorized public key added by the hacker and addressed the flaw that allowed him to gain access. They also suspended his account for not respecting the site’s terms and conditions.
“Yes I behaved like a jerk. But why you suspended my account? Oh yea, Terms. But, let’s get it real. It is not the way you were supposed to fix things,” the programmer wrote in response.
After receiving numerous complaints regarding the way the incident was handled, GitHub representatives came forward with another statement explaining their actions.
“Three days ago, user @homakov opened an issue on rails/rails about the prevalence of the mass-assignment vulnerability. Two days ago he responsibly disclosed a security vulnerability to us and we worked with him to fix it in a timely fashion. Today, he found and exploited the public key form update vulnerability without responsible disclosure,” read the statement.
As a result of the incident GitHub added a section to its security policy entitled Responsible Disclosure of Security Vulnerabilities. Homakov’s account has been reinstated after it was established that he had “no malicious intent.”