The Inquirer-Home

Github suffers a Ruby on Rails public key vulnerability

The key to failure
Mon Mar 05 2012, 13:56

CODE REPOSITORY Github has succumbed to a public key vulnerability in Ruby on Rails allowing a user administrator access to the popular Rails Git.

Github is the web based front-end set up around Linus Torvald's Git revision control system. Due to the web site's extensive social networking features combined with the Git revisioning system Github has become extremely popular, yet Egor Homakov, a Russian security researcher, managed to exploit a Ruby on Rails security vulnerability to get administrator access to a project.

Homakov's actions were relatively simple - he merely uploaded his public key to the repository so Git thought he was an approved administrator of that project. This would not only entitle Homakov to commit files but he could effectively wipe the entire project and its history clean.

However Homakov put in only a humorous commit, which earned him a temporary account suspension. Although that suspension has been lifted, Homakov said he was disappointed with Github's response and described his 'attack' once Github had hardened itself against it.

Github is used by a number of high-profile projects including the Linux kernel. Homakev's actions were to exploit a well known weakness of Ruby on Rails and questions might be asked as to why Github's administrators did not block such an attack sooner.

There's no indication that any projects have been compromised, but a few will be looking over their code to make sure. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Heartbleed bug discovered in OpenSSL

Have you reacted to Heartbleed?