Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

wow how come I commit in master? O_o

  • Loading branch information...
commit b83965785db1eec019edf1fc272b1aa393e6dc57 1 parent 4d391a4
@homakov homakov authored
Showing with 3 additions and 0 deletions.
  1. +3 −0  hacked
View
3  hacked
@@ -0,0 +1,3 @@
+another showcase of rails apps vunlerability.
@jsauve
jsauve added a note

He can hack...but can he spell?

@AlekSi
AlekSi added a note

I guess you should do the same in Russian then. ;)

@jsauve
jsauve added a note

Голос перегиба мой юмор не очень хорошо переведены на русский ;)

Действительно, не очень

Да, чувак, с русским у тебя проблемы) # yeah, dude, you've got some problems with Russian :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+Github pwned. again :(
+will you pay me for security audit?

257 comments on commit b839657

@ahawkins

o_0

@Phantoms

Whoa!

@tadast

Since you can commit to master, you could just fix the vulnerability :)
Also, Rails is open source - you get it for free, why not make it better for free as well?

@atambo

relevant: #5228

@brookemckim

Not sure if this is the best way to prove your point :rage:

@homakov

@brookemckim sorry if it looks stupid.:(

@tadast I was going to! But I 'm not done yet :trollface:

@warmwaffles

Nice find, thanks for pointing this out. Need to be more cautious about XSS and mass-assignment

@brookemckim would you have listened if he didn't?

@rmoriz

If everyone is doing it wrong, there is enough reason to fix it through more restrictive defaults. imho.

@slbug

If everyone is doing it wrong, it's just a reason to read documentation.

@ileitch

You don't get better trolling than this.

@jacortinas

I doubt that Github failed at "reading the documentation". If Rails is so serious about providing the best tool to developers and it's conventions being the best practice, then it's important that the framework establish a convention of more strict security by default.

@Rydgel

Nice catch haha!

@aarontaylor

Good catch and let's hope this gets addressed.

@holman

We've patched and fixed this on GitHub.

@jacortinas

:+1: @holman.

but who knows how many apps have this issue and don't even realize it. :(

@bai

Love you @holman

@goncalossilva

@holman Has this been fixed in Rails upstream? If not, did you guys send a pull request?

@filipeamoreira

@holman Pretty fast response for a Sunday morning. Do you mind sharing some details of the patch? Was it Rails related?

@ileitch

@filipeamoreira Probably just missing attr_accessible, see: #5228

@slbug

@filipeamoreira, hands related :)

@jacortinas

This is not something that's really "patchable", it's an issue with misinformation. If we all went with the most restrictive settings for mass assignment, then the issue would go away. The problem is that, it's not set to the most strict by default, nor is it as strongly urged (in documentation for example) as it could be. With so many new programmers and novices using Rails, it makes sense to be a little bit more novice-proof and security conscious by default, and make the model generators and default model require you to whitelist accessible attributes.

@warmwaffles

I would like to see all the attributes thrown into attr_protected by default and I will manually specify attr_accessible on each of my models. Makes me happier this way.

@scomma

@jacortinas how long before we have magic quotes then? :)

@jacortinas

@scomma I understand the concern, I don't want that kind of all-encompassing mess either. :\

Django avoids things like this by establishing the idea of form classes, which is honestly a great way of doing things. What is submitted in forms may not, and should not be exactly what goes into your models. @wycats gist for a fix https://gist.github.com/1974187 is an idea that's very similar. Input handling is not really the responsibility of the model, but of the gateway class that accepts the input.

@monokrome

One more reason to not use rails. I'll add it to my huge list.

@lucianosousa

@monokrome show me a perfect framework/language

@chjj

I was wondering when this would descend into memes.

@Demeter

When did we get emoticons and gif embedding? This feels like tumblr. (I want the emoticons... please?)

@ddevaal

zomg~!

@chrisrhoden

Can anyone point me to a widely used framework which does not have this issue?

If the mass-assignment problem doesn't exist, it's because there is no mass-assignment, and that's not a framework I am particularly interested in using.

@Swoony3

Have you read your SICP today?

@Tie-fighter

Why did you terminate @homakov account? -_-
He benevolently pointed out a vulnerability. Way to piss people off who are trying to be your friends...

@chrisrhoden

@Tie-fighter what evidence do you have that his account was terminated?

@rmoriz

@chrisrhoden imho it's not about the framework. It's about the handling of an issue. Every framework, language, app has bugs. One of the strenght of a project/community is to deal with it. Before smuggeling a commit into the rails repo, homakov opend an issue but that was imho harshly closed with a "not our problem" reply ignoring the underlaying problem.

That's probably the reason why he tried to get more attention on this issue which was very successfull with this commit...

Now it's time to go back to something productive and deliver concepts and code.
For example @wycats proposal at https://gist.github.com/1974187

@mtkd

@chrisrhoden mass assignment doesn't need to be removed - the issue is that it's the default - and it's so easy to not lockdown a resource that Github managed to miss it.

If they're going to miss it then you can bet there are 1000s apps out there that are open.

@homakov's additional point that created_at should not be writeable is valid too (certainly in production).

@Tie-fighter

@chrisrhoden He told me so...
@DouweM But he did not mean to harm anybody, such things can happen by accident...

@DouweM

@Tie-fighter He had to type this commit and those posts, didn't he? Unless he was sleepcoding, there's no way this was an accident. And even if it was, it doesn't matter; he still did it. I would expect nothing less of GitHub than to ban him. He should just have tested this which repos of his own, and after finding the vulnerabilities he should have submitted a prober bugreport to GitHub.

@rmoriz

@DouweM sure. And the next one who finds a security exploit and get's ignored will sell the exploit straight to the bad guys... do you prefer that?

@DouweM

@rmoriz He was ignored by the Rails core team when he reported on attributes not being protected by default. I don't believe he has said anything about the GitHub team ignoring his bug reports, if there were any at all.

And you're viewing this awfully black-and-white, as if the only two options are "act on found vulnerabilities" and "sell exploits to the bad guys."

@bashcoder

He's been trying to get people to take this issue seriously for several days now, with "opinionated-software" coders calling him a troll. Good for him for harmlessly driving his point home and hopefully changing some opinions about rails defaults.

@vanhalt

@DouweM don't be that rude. The post he deleted was while he was testing... he just showed us what can be done in github. Just showed us the vulnerabilities. He could done anything worst...

@Tie-fighter

@DouweM: "DAMN. dude, sorry for wiping your post :( Sorry, I was 99 percent sure github at least checks for owner... but He doesnt :("
Wow, sounds like a very bad person to me to...

So instead of saying "Thank you for helping us improve" you teach him to keep his mouth shut when he finds a vulnerability (so it does not get fixed and others can exploit it in harmfull ways)."
Good idea? Think about it...

@DouweM

@bashcoder I am definitely for changing the defaults as far as protected attributes is concerned, but he didn't have to act on those found vulnerabilities.

@vanhalt @Tie-fighter Well, I'm just saying he should have tested it on comments of his own, for example. He didn't need to do so on some innocent guy's posts.

@Tie-fighter I'm not saying he should keep his mouth shut, I'm saying he should report this to GitHub, and only make it public after it had been fixed, so no-one else could exploit it. I'm pretty sure that's common practice, when big vulnerabilities in widely used software are found.

@monokrome

@lucianosousa Who cares about a perfect one? How about one that works without arguing with it all day? :D

@mtkd

If his account has been deleted after failing to get someone to listen to the issue for 3 days - and then safely demonstrating the exploit in the open:

1) That's an outrage

2) It does nothing to encourage people to report issues in a constructive way and everything to encourage people to use exploits maliciously

@vanhalt

He did the commit 3 hours ago... and got fixed 2 hours ago ¬¬ come on!

@Tie-fighter

I know this is not my website, my project, my problem... but I think you should reward him instead of punishing him.

If it were though, I would even send him some money for doing the right thing (that is: not trying to sell the vulnerability for 10x the money he could make on a black market)

@sikachu
Collaborator

@rmoriz I don't think everyone prefers that, but I don't think he had done a right thing as well.

  • For Ruby on Rails, if there's a security bug he should do according to this: http://rubyonrails.org/security
  • For GitHub, I believe the best way to do is create a repository and reproduce the problem in the isolation, then report a bug using "Contact and Suport" section, not just publicity running around and perform those stuff that @DouweM mentioned.

Me, for once, if I found a venerability or insecure part I would be sending a report to that site's owner. Just trying to reproduce a bug to get a publicity is just like being a jackass and childish. Then, after the bug was fixed, I think he can raise awareness by creating a blog post and tell people that he/she should whitelist their attributes. That is the smart way to handle it.

@DouweM

I'll agree that he probably shouldn't have been banned just like that, my saying that I expected nothing less of GitHub was a bit of a knee-jerk reaction.

Of course what he did, namely act on the found vulnerabilities in the open, is to be preferred over selling it to "bad guys," and while I applaud him for that, he should just have let GitHub know about it first, and there's currently no reason to believe he did so. He was ignored by the Rails core team, not by GitHub as far as we know! The Rails core team should definitely have listened to his concerns, but it's not like he told them of the vulnerabilities uncovered today and they ignored that.

@DouweM

@sikachu It looks like we're on the same page here.

@sikachu
Collaborator

... and I believe doing those exploit publicity before telling GitHub is violating section A.8 of ToS, am I right?

You may not use the Service for any illegal or unauthorized purpose. You must not, in the use of the Service, violate any laws in your jurisdiction (including but not limited to copyright or trademark laws).

I believe he's unauthorized to post as DHH. I believe he's unauthorized to commit to a repository he doesn't have access to.

@vanhalt

@sikachu that's YOUR smart way to handle it...

@Tie-fighter

@sikachu Well then they should change their ToS.
P.S.: And start a reward program for reporting serious issues.

@DouweM

@Tie-fighter That's the thing: he should have reported, not exploited. What if everyone at GitHub had had a day off today? GitHub would be open to be exploited by anyone. He would've been able to get his point across just as well, were he to post a blogpost on this tomorrow, after the vulnerabilities had been fixed.

@Tie-fighter

@DouweM: He did not exploit it. How come? Do you know how he did it? Can you reproduce it?

@DouweM

@Tie-fighter How is deleting posts, posting as other people and commiting into repos you're not allowed in not exploiting vulnerabilities? Sure, he didn't do any real harm (except to the deleted post), but IMO the right course of action would have been to report this stuff to GitHub, and only announce it to the public after GitHub had had time to fix it. I can't think of a single way in which what he did was a "better" thing to do.

And you're asking if/how I know how he did it? Read through his last couple of posts, it's pretty clear he's exploiting models where GitHub forgot to protect attributes for mass-assignment by defining attr_accessible/attr_protected. And no, I can't reproduce it as GitHub fixed it pretty quickly after the commit we're now commenting on was pushed.

@abuddy

It is really disappointing that here goes discussion about his personality and some even try to judge him instead of focusing on the problem he showed.

@Tie-fighter

@DouweM I would consider that a proof of concept.
Ah, but didn't he post an issue for that?

@abuffy full ack!

I, for one, am very disappointed by github and consider canceling my subscription :(
P.S.: And if I do so, I will send him 1 year worth of subscription fees.

@DouweM

@abuddy I think that's because most people realize it's a stupid oversight on GitHub's part, but also one that's understandable to some extent, seeing as it's made way too easy by Rails to just define models (via a generator for example) and have the models be completely open for mass-assignment. GitHub fixed it, Rails's attribute protection defaults should be reevaluated and... anything to add?

Yes, I'm disappointed that GitHub made such an obvious mistake, but I'm more concerned over all the other sites that have this vulnerability, caused in the first place by Rails defaults, not stupid developers.

@Tie-fighter He posted an issue about Rails mass-assignment attribute protection defaults, which they ignored/dismissed, which they shouldn't have. The first thing he did when he found vulnerabilities in GitHub, on the other hand, seems to have been exploit them, not report them.

@Tie-fighter

@DouweM He did not exploit anything. Please realize that.

@DouweM

@Tie-fighter Could you explain what you mean by that? In my understanding, exploiting is making use of found vulnerabilities. That's what he did.

@joshbuddy

@DouweM Aren't you glad though, at some level, that the issue was exploited in such a public way as to get everyone's attention? In terms of getting the message out there and inflicting a sense of urgency, I can't really imagine a better scenario than this. The cat was already out of the bag as the bug was reported days ago. But now people will have to take it seriously.

@Tie-fighter

@DouweM I think exploiting is (in this context) when you use a vulnerability to ("to" as in "on purpose, not by accident or carelessness") achieve a personal gain or inflict a loss on somebody else. I consider what he did is a proof-of-concept, he demonstrated the vulnerability (doing so without using the exploit is impossible (and doing so does not constitute malevolence)).

@DouweM

@joshbuddy Yes, he definitely got a lot of attention for the problem this way, and that's absolutely a good thing: more people should know about vulnerabilities caused by Rails mass-assignment attribute protection defaults, and people should definitely know a site the size of GitHub had such big and obvious vulnerabilities.

I just think it was a bit of an assholeish/childish move to do it like this. In the end I prefer it happening this way to it not being seen by the public and it being covered up by GitHub or whatever, so I guess ultimately I am glad this is how everything turned out, but I don't like that @homakov did it like this. I'm aware I'm not doing a very good job at making myself clear.

@DouweM

@Tie-fighter In my opinion it would have been a proof-of-concept had he done it with repos of his own and comments of his own. The moment he started affecting other people (the user that posted the comment he deleted, the user who he posted as (@dhh) and the admins and other users of the repo he hijacked) it became exploitation. The user, @dhh, the Rails core team and all the people who care about the rails/rails repository are innocent in GitHub's forgetting to protect its attributes.

@joshbuddy

@DouweM I'm not gonna force you to try to express yourself too clearly. It's obviously a pretty murky issue, so, hard to come to a clear point on it. In my mind, there are a lot of Rails sites out there, I mean, lots. Someone's gotta wake em up.

@Tie-fighter

So what are you going to do Github?

@DouweM

@joshbuddy Which is why I'm happy it happened this way, but I cannot agree with @homakov's actions, even though I do see the merit in the outcome.

@MechanisM

In #5228 he told about vulnerabilities but no one fixed it. so he wanted more attention on this problem.

@Tie-fighter

@DouweM But if it were his own repositories and posts he would be allowed to delete and commit...
And if he created a second account we would have probably violated the ToS as well and somebody would hang him for that...
dafuq dude :(

bbl...

@DouweM

@Tie-fighter I'm not so much concerned over violating the ToS, I'm concerned over all the innocent people that got hurt, albeit ever so slightly :p I think he should just have created a second account and tested everything that way. I'm sure they would've forgiven him for creating a second account had he just reported his findings afterward.

@MechanisM Ah you're right, he did show 2 days ago that he had found at least one vulnerability. There's no indication he told GitHub about it though, he was trying to get the attention of the Rails core team to change the default for mass-assignment attribute protection, which I definitely agree with.

@anfurny

What would seem to be going on here, is that he was banned because github feels humiliated about what happened here (see how popular this is on Y combinator's hacker news?), and is reacting emotionally or trying to save face at the expense of the truth.

It's nearly impossible to argue that what homakov did was more harm than good for the developer community. This looks like a cut and dry political move by GitHub of villifying somebody who has demonstrated your weakness in a way to downplay your own responsibility.

I think what happened here is even preferable to it going through the reported channels, and silently being fixed, without attention being drawn to the larger issue here (i.e. rails security). Good for you, homakov, don't let anybody take out their defensiveness over their coding incompetence on you.

@tekknolagi

I congratulate @homakov for finding this vulnerability, and @bashcoder for taking him seriously. I also think, however, that it was right to terminate his account. He violated GitHub's ToS. While he was trying to help GitHub with their vulnerability, it is nearly never a good idea to screw with the application in the process.

EDIT: His comment ("DAMN. dude, sorry for wiping your post :( Sorry, I was 99 percent sure github at least checks for owner... but He doesnt :( What a bug-day") clearly indicates his non-malicious behavior. It's more like reaching out and seeing what he can do than wrecking the site. Go easy on the man.

@DouweM

@tekknolagi I agree with everything you said there.

@tekknolagi

Can he please have his account back, @holman ?

@totseans

I didn't see a Goatse on Github, I want my money back. If you're going to exploit or at least prove a point, Goatse is the way to go.

@tekknolagi

@totseans That's just gross.

@DouweM

@tekknolagi I'm not sure how that would look to people who haven't followed everything @homakov has said and done these last couple days, like we have since all this happened. He broke into the Rails repository and was not even suspended?!

@pauldacus

Back to real life: If your rails app is cracked, your customer WILL NOT ask the cracker for consulting or a vCard, they will call you and blame You. This guy did nothing wrong, he raised a red flag, got called a troll for his troubles, then demonstrated the problem, and is now getting beat up. He could have done so much worse...

@tekknolagi

@DouweM I've done my fair share of nefarious deeds, and was not punished solely for the fact hat I overall increased the security. I'm a white hat. He's... grey, since it's kind of undetermined, but he's not fucking anyone over.

@totseans

@tekknolagi Not really, depends on which side you're from. It would be funny and shocking.

@tekknolagi

@totseans I'm getting the impression that @homakov isn't that sort of person.

@bcoe

Egor's Octocat Tattoo
"I survived the githubpocolypse of 2012"

@tadast

Yes, it was impolite and unnecessary from @homakov. But he's a young, 19 years old guy. Don't kill his enthusiasm by punishing him too hard :)

On the other hand I also understand how GitHub got pissed when a 19 year old messed around with their multimillion user service by editing HTML in WebInspector... :trollface:

@tekknolagi

@Tadast :+1: and I feel like that's all I'm doing on this thread. Agreeing with people... o.O

Zach, have a heart :)

@DouweM

@tadast I completely agree!

@Tie-fighter

To clarify: The guy with the github tattoo is @homakov ...
How awesome is that!?! :)

@tekknolagi

Hello,

Just having an email conversation with @homakov, and here's what he responded:

"I was very curious about that bug. Just mad. I tested sites and most of them god kind of that vulnerability. I was mad that people ignore that bug and statrted checking github just adding inputs to forms. It worked. I coulndn't just stop but anyways I WROTE to support right after finding my first vulnerability. Github was silent."

Does he seem malicious? No. Black hat in any way? No.

He just wants it fixed now.

Max

@savetheinternet

@homakov is an impatient little fuck who needs to be put to death.

@DouweM

@tekknolagi Well, in that case: @homakov If you're reading this, I'm sorry for and take back the harsh things I said about you, I was too quick to judge and I applaud your efforts to get attention for this big issue!

@tekknolagi

@larzconwell Yes, the trollfaces were a tad childish, but if committing to Rails got attention, then it was worth it.

@tekknolagi

@tanepiper Not necessarily hire, but definitely contract him as a white hat.

@tekknolagi

@homa-kov will be posting, and that is the man himself. Verified.

@totseans

I still would prefer seening a Goatse Tatoo.

@vitalvas

Нихерсе О_О

@homa-kov

sup /github/

@homa-kov

@Lockal your picture made my mood +100 thanks

So, what's up? I am jerk and bastard, is it your conclusion? :)

@tekknolagi

Are GitHub users really this juvenile? GitHub administrators? Guys, please act like the adults you are.

@homa-kov

@tadast hilarious :) smart humor +1

@rainyday

The github admins should be mad at their engineers for not fixing a massive security hole in their site, not the guy who called attention to it in a non-damaging way when his bug report was ignored. The approach to handling this that github employees have used is not only counter productive, its unbelievably childish.

@aDevilInMe

IMHO Github is not really coming out of this very well.

@sysprv

If github wasn't immune to this issue, is it realistic to expect other rails deployments to be savvy about this kind of thing?

@ixti

@rainyday +1

He could made really bad things - without making "any noize". Instead he just alarmed the REAL BIG SECURITY problem in a really kind way IMHO.

@fornex

anyway, whats the point of suspending @homakov?

@bashcoder

@sysprv - exactly - this completely debunks the arguments made against @homakov over the past few days. The 'newbie' argument falls flat when an elite group of coders can so easily fall prey to this issue. Meanwhile, rails takes credit for handling cross-site-scripting, sql injection and other "newbie mistakes."

No matter what anybody says, this is a "call-the-neighbors-and-wake-the-kids" kind of issue. It will be interesting to see how many gems get updated this week.

@rainyday

@sysprv It's absolutely not. One of the reasons people use frameworks in the first place is because this type of thing is supposed to be done for you minimizing the chance of human error. Github COULD have found this on their own but I don't think they are the ones to blame here. The problem is how they responded. Most software has bugs, what matters is how you respond to them and the Rails team and github have done pretty much everything wrong on that front.

@konklone

Is he actually suspended? His account looks up to me.

https://github.com/homakov
https://github.com/homakov/T-For-Translate

@tekknolagi

@klondike He just can't log in.

@konklone

I'll just add a couple of points, in case this is still relevant:-

  • Regardless of whether you think Rails should handle this differently, this is not a "0 day attack" or an exploit of a "Rails security hole". The mechanism to secure Github is there without any code changes to Rails, which is how Github could fix it within minutes. Exploiting a vulnerability and violating a site's TOS, at least as far as keeping one's account privileges, is a really serious action that requires serious justification. If this were actual 0day, it might plausibly be defensible, depending on the circumstances.

  • Rails has chosen a pattern which makes it more likely that even a foundational Rails site built by some of the most experienced Rails developers in the world is susceptible to unauthorized data entry. This is an obvious problem, and it reflects poorly on the Rails development team that they wouldn't take it seriously up until now. It's hard to get away from the feeling that as experienced Rails devs themselves, they simply could not empathize with the broader Rails community and chose to blame any vulnerabilities on the incompetence of individual developers.

There is a problem here, but vilifying the Rails framework as having an 0day flaw, or heroizing @homakov for sticking it to the Rails team, are both wrong. It's not black and white, and all we can do is take the conversation to the Rails core team to figure out where to go from here. @wycats is trying to start that process now.

How Github deals with @homakov's account is entirely up to them, and they're well within their rights to terminate his account.

@kevinpostal

+1 Django

@maxmackie

I wouldn't have asked for money off the bat like he did. But I don't see anything wrong with his approach. He probably saved Github from some serious issues down the road (someone would have figured this out).

@Mithgol

@tanepiper

@github should hire @homakov

If I were @homakov, I'd decline. The only GitHub's office is in San Francisco, and I guess he'd remember the United States v. ElcomSoft and Sklyarov case. And the fact that Robert S. Mueller is currently Director of the FBI.

Right now any IRL step on U. S. soil probably means @homakov jailed. He probably should also avoid proximity to U. S. vessels, diplomatic missions and other more or less exterritorial objects within his home city.

@tomash

if i were github, i'd send this guy truckloads of flowers, booze and money for saving their asses. if @homakov sold that exploit on a blackhat market, github -- and its paying customers -- would be in some really deep shit, maybe even on the brink of bankrupcy (imagine all the lawsuits for private code stealings). so, this man is a hero and should be treated like one.

now's the time to get some sleep in my timezone, but i expect the upcoming monday to be pretty shitty for many maintainers of rails apps that also sport similar security hole. i'll start the day with checking my own apps for this, actually.

@totseans

So.. I still don't see Goatse. Anyway, I guess at this point everyone should be A) backing up their code B) protecting it C) nailing Github ass D) Helping @homakov out.

@rainyday

@klondike Of course Github has the right to ban @homakov, claiming otherwise would be absurd. Banning white-hat hackers sends the message that you're more concerned with saving face than actually fixing things and a company whose entire userbase is made up of developers should know better.

@pauldacus

NEWSFLASH: @homakov found to be github "plant" so free users upgrade to paid plans! Details @ 11! :-)

@bashcoder

haha - yeah, well, this paid plan customer just typed this command: git clone git://github.com/sitaramc/gitolite.git

@pauldacus

Jose Valim quits and the neighborhood goes to hell. :smile:

@dreamfall

@ElDeveloper adding fields on form in firebug don't make him a cool specialist.

@mohnish

Github is so much fun today! Epic commit btw!

@dhommel

All in favor of Egor. Thanks for pushing github to be a better platform.

@dhommel

And btw lol @ all the meme stuff... Waiting for some Bear Grylls...

@torao

funny

@homakov

Freedom! Next time my tattoo is gonna be real! :3

and

sorry

@dhommel

lol.... Egor++

@zhuzhuor

@homakov congrats for your freedom!!

@mohnish

@homakov you got your account back. Github +1.

@jberger

@tomash, agree 100%. Can you imagine what he would have gotten from the black market!?!?! If someone walked up to you and said: you can have $1M and no one will know, or you can make a couple jokes and then hellfire and brimestone will rain down on you for making the right choice, what would any of you have done?

@Apelsin

I agree with gitmonster. I'm glad this got resolved as quickly as it did.

@earlcochran

@KenanY that had me laughing like a fool out loud. Nice

@rmoriz

Glad this issue is now resolved. Back to work!

@totseans

Oh well, back to work.

@jberger

Welcome back @homakov. FWIW you got your message across. Not sure you could have done it any other way. Take this as a lesson all you devs, take all your bug reports seriously.

@jjmaestro

@gitmonster +infinities and also @DouweM and @tekknolagi

Most comments are completely childish. I've been on both sides of the equation and believe me, mature people deal with this in a much cleaner way. Lot's of people find vulnerabilities bigger than this EVERY day. You just don't hear about them because they are quiet and respect the rules of engagement in Security: report and wait ENOUGH time (not just hit a huge website with a huge bug and expect it to be fixed immediately! Which they did, BTW, huge kudos to Github for their amazing response...)

Having read a lot on this issue, I'm certain @homakov tried to do The Right Thing (TM) and he just messed up due to inexperience and the kind of light-minded attitude that we all have had when we were young. I'm also sure he has learned a big lesson today and all his 0day vulnerabilities will be properly reported from now on instead of breaking hell loose on a Sunday evening.

Thanks @homakov, the Github team and everybody involved in the fixes!

@jjmaestro

And now people, LEARN how a good company behaves during such tough times. Please, read the official story of what happened:
https://github.com/blog/1069-responsible-disclosure-policy

@m3nd3s

I really enjoyed reading this comments, I love open source projects \o/

@rainyday

Well, I take back what I said, Github seems to be handling this admirably. At least in the end.

@cordoval

@homakov is symbol of freedom! Thank you! @php_peru is with you!

@Miserlou

No harm no foul, I suppose. Real hacking is always playful!

Fascinating to watch the evolution of this bug (if you look at the tickets, and the tickets which that ticket references) - rail's aim to be easy for beginners has becoming a stumbling point even for the most advanced experts.

+1 for the hack, +1 for GitHub for being so sensible about this. (+1 when Rails changes the default?)

@chkn

-1 for GitHub's lack of humility about all this. I sincerely hope they are doing a little more for @homakov than just giving him back what he had before. He really did them a big favor.

@coderjonny

lol wow

@KenanY

@rmoriz Oh gosh that caught me by surprise.

@banacorn

well done

@rafaelp

A solution to a more obscure problem related to the "vulnerability" of mass assignment:
https://gist.github.com/1976687

@emwalker

After reading through the bug history, I'm glad @homokov persisted. People simply weren't taking him seriously. It looks pretty bad in retrospect.

@Apelsin

Off topic: how can I disable all types of notifications coming from this commit? I have done so for email notifications for this commit, but I would also like to stop receiving tons of notifications via GitHub's interface. Anyone know how? Thanks.

@jacortinas

@Apelsin right below the comment box at the end of this commit, there is a link to disable email notifications for this commit.

@i3zhe

Actually, this one is hacked by Lei Feng from China.

                                                   Mar 5 2012
@sleeptillseven

Shit I'm using @github and @rails right now.
=> Now I have to spend the whole week to move our enterprise code to PHP and CVS.

@RiderSx

Чикей, все правильно сделал. Роисся гордится тобой :D

@Apelsin

@jacortinas Please re-read what I wrote. I just said I did that already and what I am asking for is how to disable ALL notifications for THIS commit.
Thanks.

@jacortinas
@hzlzh

Just see the 5th comment in front of this one LOL~~~

@feilaoda

make word better you can.

@harshadura

oops! this is not so nice to heard! :@

@milushov

I write in epic thread

@sleeptillseven

With that, all those "node.js community is so immature" phrases come to my mind. Seems like there are more of these ...

@bmjames

Rails is PHP in disguise?

@madsheep

put this in your initializer and forget all about it:

ActiveRecord::Base.send(:attr_accessible, nil)
@pwlin

put this in your php.ini and forget all about it:

register_globals = Off

@sleeptillseven

Only CoffeScript allowed :P

@NoICE

I wonder how many bugs like this are in githubs (and my) code. What about subscriptions for example...

@gugu

there are no kittens in this thread

kitten

@mininaim

Wow amazing thread! even If I'm not a Rails developer!

@simoncpu
 _____ _   _ _____    ____    _    __  __ _____ 
|_   _| | | | ____|  / ___|  / \  |  \/  | ____|
  | | | |_| |  _|   | |  _  / _ \ | |\/| |  _|  
  | | |  _  | |___  | |_| |/ ___ \| |  | | |___ 
  |_| |_| |_|_____|  \____/_/   \_\_|  |_|_____|
@darkstalker

lol gg

@wouteroostervld

OMG GitHub has turned into Reddit/2+2...

@lostinplace

upvote

@mattcaldwell

I hereby associate myself with this epic commit thread.

@paulwal

@homakov

Congrats on unbanning yourself!

PS- can you upgrade my account? Thanks!

@rishta

This is not a design problem... of the architecture, but that of the default policy making assignment implicit AND of the user (github) not being security conscious enough. And since github was informed about the status quo it's its sole responsibility for being hacked and they were IN LUCK that it wasn't someone malevolent. Committing to main branch guaranteed speedy alert of the resposible personnel and patch fixing all apps hence.

@MechanisM

@homakov "get account back" - is nice reward. Congrats! :trollface:

@chjohnst

quazy

@taisel

And these meme-centric comments are why some developers can't take github seriously.

@earlcochran

@grantgalitz Exactly. This is a place for coders to get things done. Go back to Reddit and 4chan if you want meme pictures and let the men and women do work.

@taisel

@methoddk If github introduces upvoting for comments I swear a table shall be flipped.

@gfosco

Oh please... get over yourselves.

GitHub is one of the greatest things ever created.

Rails, however... not so much.

@gamaral

@gfosco I can't agree more... stupid Rails. Powered Rails on the other hand, they are pretty awesome, but you do need to get a lot of gold.

@CryptoJones

When you commit in master, the terrorists win!

@oreoshake

use https://github.com/presidentbeef/brakeman, it finds mass assignment vulnerabilities pretty darn well

@mzeena

Bravo!

@koopa

good job mate :)
you did the right thing in my opinion. no harm done but great way to get attention for a critical issue

@tinogomes

@oreoshake awesome tool +1

@pearcec

@Petah what were you thinking?

@kirkbushell

What an interesting discussion. Point of the matter is - the guy pointed out a vulnerability, some people decided it should be ignored (being a security issue that's a pretty big problem), so he made it even more obvious to the entire community and some people are putting him down for it. Absolute joke.

@Ocramius

Wow, now really, how much will it take to have also a register_globals -like functionality? =)
Seriously rails? :|

@rishta

@Ocramius and @others:
register_globals and magic_quotes are deprecated and have been removed in latest versions of PHP, so you don't shine and unless you're being vaguely sarcastic, you show you lack skill.

@Ocramius

@rishta you don't say? :D

@pwlin

@rishta
Your comment lacks a certain level of understanding the joke.
Of course they are deprecated, because PHP - by design - is no more vulnerable to this sort of attacks. That was the whole point.
By not fixing these holes in a default installation, RoR now scores even lower than PHP of 5 years ago.

@jberger

@github, pretty please is there some way to turn off notifications from this thread without turning off all commit comment notifications?

@mishak87

If PHP code is producing errors with register_globals on you are terrible terrible programmer. If you are using magic_quotes you are simply stupid.

@warmwaffles

If PHP code is producing errors with register_globals on you are terrible terrible programmer. If you are using magic_quotes you are simply stupid.

But I like magic! David Blaine is soo cool

@ixti

@jberger I use Firebug: $('.del a').click() on notification page to get rid of approx 10 messages per hour from this thread :))

@imlcl

wow

@dreamr

Welcome to Rails :) If you aren't using attr_accessible Santa kills 3 kittens for every vulnerable model.

@taisel

</thread>

@Mithgol

@dreamr

Santa kills 3 kittens for every vulnerable model

In this case there was a dead octokitten.

@darth10

holy crap

@kevinpostal

Pagination for the win..

@homakov

@larzconwell
1 there is 'mark all as read' button on notif. tab
2 Why you think clearing messages should help. I am 100% sure they have table for participating users and you will be there FOR EVERS

@kelliott

Damnit, can't I go one day without having to see Michael Jackson?

@brodock

Epic commit is epic!

@NoICE

Why I still get notifications about this thread when I unsubscribed few days ago and according to the bottom of this page they are properply off? :/

@ajukraine

Рейлз розробник: секюріті? нє, не слихал!

(ukrainian)

@Mithgol

@NoICE

Why I still get notifications about this thread when I unsubscribed few days ago and according to the bottom of this page they are properly off? :/

Check the «Comments after me on commits» setting in your Notification Center.

@NoICE

@Mithgol thanks!

@jfahrenkrug

Wow, all these animated gifs make me feel like I'm on a 1996 Geocities page.

@Ocramius

@jfahrenkrug that's exactly what they're meant for... We're commenting on 1996's web applications' security issues :D

@RuslanHamidullin

Хомяков Ты крут )

@chucai

有意思

@arbing

好欢乐呀

@odiszapc

Egor Letov live!

@hinagiku

万火留= =

@collaroid

已火留。。。

@dandv

What if someone introduced very hard to detect vulnerabilties in popular software packages and libraries by altering commits long ago in the history of the projects?

We'd never know.

What if this has already happened?

@seuros
Collaborator

Git is not centralized, everybody will notice that once he/she try to push to the repo since the SHA will not match.

Please sign in to comment.
Something went wrong with that request. Please try again.