Posts Tagged ‘internet security’

I know this is slightly old news, but I still wanted to talk briefly about it.  Near the beginning of March, GitHub users received this message via email.

A security vulnerability was recently discovered that made it possible for an attacker to add new SSH keys to arbitrary GitHub user accounts. This would have provided an attacker with clone/pull access to repositories with read permissions, and clone/pull/push access to repositories with write permissions. As of 5:53 PM UTC on Sunday, March 4th the vulnerability no longer exists.

While no known malicious activity has been reported, we are taking additional precautions by forcing an audit of all existing SSH keys.

. . .

Until you have approved your SSH keys, you will be unable to clone/pull/push your repositories over SSH.

. . .

Sincerely, The GitHub Team

The following is a rough sequence of events that led up to the official notification of the users.  All times are in PST.

March 1
3:14 AM
Homakov opens Rails issue 5228 for mass assignment vulnerability. [source]
March 2
6:10 AM
Homakov tests the vulnerability by opening an issue “from the future”. [source]
Homakov's Future Issue
March 2
10:07 AM
Issue 5228 is closed. [source]
March 3
3:19 PM
Issue 5228 is deemed not a Rails issue. [source]
fxn's Comment
March 4
8:49 AM
Homakov fully demonstrates the vulnerability by committing to the Rails master branch. [source]
Homakov's Commit
March 4 GitHub suspends Homakov’s account. [source]
March 4
9:53 AM
GitHub fixes the vulnerability on their site. [source]
March 4
12:31 PM
GitHub posts an entry on their blog informing the public of the exploit. [source]
March 4
1:56 PM
Homakov describes the procedure for the exploit on his blog. [source]
March 4
4:20 PM
GitHub posts another blog entry detailing Homakov’s reinstatement, as well as amendments to their security policy. [source]
March 4
4:22 PM
Homakov’s account is reinstated. [source]
March 7
10:22 AM
GitHub sends out an email informing all users that their public keys have been frozen and will be unusable until manually approved. [source: email]

This is a classic case of hacker discloses vulnerability by exploiting vulnerability.  Opinions often vary as to whether or not this is an appropriate method of disclosure.  The intentions of the responsible parties have to be called into question, as well as the level of severity of the exploit.  In this case, many argued that Homakov tried to report the issue but was brushed off, leaving him with no other way to call attention to the vulnerability.  Others argued that he was trying to inform the wrong people, or that he simply should have refrained from exploiting the security hole himself.  In any event, the damage (if it can be called damage) was extremely minimal considering what could have been produced by a malicious attack.

As stated in GitHub’s blog post, the final verdict was “no malicious intent”, and Homakov ultimately had his account restored.  After reading through loads of comments, the general attitude of GitHubbers seems to be one of praise rather than condemnation, but it’s certainly an arguable issue in the way of ethics.

When, if ever, is it okay for hackers to act on a vulnerability in order to demonstrate flaws?


Read Full Post »

Automattic needs to draw more attention to the secure login page on WordPress.com.  It exists, so why not direct users to it? There are support pages on configuring your dashboard to run through HTTPS, which is fine, but as long as the login process remains unencrypted, some information is still left exposed.

ADSL router with Wi-Fi (802.11_b-g)If a user blogs through an unsecured Wi-Fi hotspot (as many travelling bloggers might do), all it takes is someone sniffing while the user logs in for his or her account to be potentially compromised.

Many popular online services offer links to their secure login pages right from their home pages.  Some email services, such as Gmail and Hotmail, have even defaulted to HTTPS.

Until Automattic provides a link to make the secure login page more obvious to users, you can navigate to https://wordpress.com/.  And don’t forget to update your bookmarks.

On a related note, Twitter seems to be in the same boat.  You can navigate to https://twitter.com/ to get their secure login.

Image: Asim18 via Wikimedia Commons under GFDL

Read Full Post »

%d bloggers like this: