GitHub suspends member over 'mass-assignment' hack

A GitHub member was briefly suspended on Sunday after he exploited a vulnerability in the code repository's systems without first telling GitHub he was going to do so.

Egor Homakov's hack caused widespread alarm among developers. According to GitHub, he exploited a vulnerability in the site's public key update form that gave him administrator privileges, letting him commit a file to the Ruby on Rails project. All in all, logs showed Homakov compromised three accounts.

We initiated a full audit of the GitHub codebase to ensure that no other instances of this vulnerability were present.

– Tom Preston-Werner, GitHub

"The root cause of the vulnerability was a failure to properly check incoming form parameters, a problem known as the mass-assignment vulnerability," GitHub co-founder Tom Preston-Werner wrote in a blog post on Sunday. "In parallel to the attack investigation we initiated a full audit of the GitHub codebase to ensure that no other instances of this vulnerability were present."

Preston-Werner then wrote a second post on Sunday, in which he said Homakov's account had been suspended but subsequently reinstated because "no malicious intent was present".

However, Preston-Werner also noted that Homakov had actually opened an issue on the mass-assignment vulnerability three days previously.

"Two days ago he responsibly disclosed a security vulnerability to us and we worked with him to fix it in a timely fashion. Today, he found and exploited the public key form update vulnerability without responsible disclosure," Preston-Werner said, explaining that this had meant Homakov had broken GitHub's terms and conditions.

GitHub hosts software development projects, and is particularly popular with the open-source community as it offers free accounts for such projects. The site's systems are themselves partly based on the Rails framework.

There is little doubt that the vulnerability was serious. As Homakov himself noted on his blog, it gave him access to wipe any post in the Rails project and even "pull/commit/push in any repository on GitHub". He said "lots of Rails apps" were similarly vulnerable.

Coder Chris Acky wrote that even developers not using GitHub should be worried.

"When the large portion of the technical world all depends on a single service, and that service is vulnerable to a variety of attacks, that makes *anyone* who consumes these services also vulnerable," Acky said.

Homakov said he had perpetrated the hack because he was "bored", and because the "guys in Rails issues ignored me". He published a 'how-to' guide to the exploit late on Sunday, explaining that GitHub had told him the vulnerability was fixed.

As for GitHub, the company has now added a page telling users how to responsibly disclose vulnerabilities on the site.