I simply added a <input value=USER_ID name=public_key[user_id]> field to Public key update form, where USER_ID = 4223 (from https://api.github.com/users/rails).
@key = PublicKey.find(params[:id])
@key.update_attributes(params[:public_key]) #Oh no! We passed public_key[user_id] of our victim!
Now our victim (Rails) has our public key associated with their account. You can read/write in any public/private repo on github.
Thoughts on this from 2014:
it was one of my first hacks and I didn't know how to behave. I was angry because nobody wanted to take me and mass-assignment issue seriously. After I did the commit this vulnerability was fixed on github within 1 hour and in rails within 5 hours. This was really effective, many people learned about the bug and fixed it in their apps, but I still regret about this irresponsible disclosure.
Hi, if you reported this to github before using it, could you paste the mail with headers as a blog post? A lot of people think you behaved badly because you didn't report to github first, but I read in a comment that you did.
ReplyDeleteIt was reported with a link to the commit.
ReplyDeleteYeah, there's the problem. You reported it via exploiting it AND POSTING WHAT YOU DID IN A PUBLIC MEDIUM. Then, and ONLY then did you report it.
ReplyDeleteThank you for nice explanation of the security problem.
ReplyDeleteintersting it is ? yes
ReplyDeleteHow's your Russian?
ReplyDeleteSome of you butthurt anons should just stfu, who gives a shit if english isn't his first language or what the dude looks like in his pic. He just exposed a massive hole that GH tried to ignore and made the world pay attention to his findings.
ReplyDeleteHe should have planted a backdoor in rails and wiped the commit log to pwn all your arrogant pretty boy english speaking asses at his leisure.
Hey,
ReplyDeleteCongrats on finding a vulnerability. The truth is, there are more that aren't being addressed. I have known about this one for awhile but not tested it in most recent version of rails. That's not why I am writing you though.
You are young and passionate about programming - I love that. I have about 10+ years experience on you so let me share one thing I learned early on in my career: Be careful when trying to prove your point in tech. While this backlash may seem tame, if you choose to do something similar with the wrong client, they could make life very unpleasant. Choose your battles very wisely. Sometimes it is better to be a teacher then a hacktivist :)
Good luck with your career and all the opportunities.
Clap clap clap
ReplyDeleteVery smart hack. However, as mh stated, maybe not the best way to expose the vulnerability into public. You may get into serious trouble, maybe not because it is Github, you know.. they might end up hiring you, but you probably wouldnt have the same luck against Microsoft :)
Cheers
Nice work. FULL DISCLOSURE
ReplyDeleteThat is cool my friend
ReplyDeleteЕгор ты прям звездой стал на Хакер Ньюз ;)
ReplyDeleteI love how Rails "hackers" are butthurting furiously. Yeah, people, some clever Russian guy just made you look fucking retarded. Serves you right.
ReplyDeleteNow come on, when you criticize Egor's English, please do it in Russian for additional lulz.
Все правильно сделал, Егор, ты охуенен. Переезжай в Израиль, у нас есть для тебя работа, серьезно :3
Thanks for the explanation. The hack is really clever :-)
ReplyDeleteThanks for the details.
ReplyDeleteAs some others said, there are some things you didn't do the best way (commit master @rails), but the rails core dev team pushed you to do it by ignoring you.
Good work - really disheartened by some of the racist/direspectful comments.
ReplyDeleteEgor, Thanks for a) finding this and b) reporting it. If anything you have made github a safer place. I don't understand the suspension on behalf of github, You basically helped them save some big headaches and $ in the long run.
ReplyDeletewow--nice one. i'm relieved that serious holes like this are occasionally found first by the good guys.
ReplyDeleteso my repo is less vulnerable than it was before, so thanks.
looks to me like you did no more than what was necessary to get the attention of those responsible for fixing it.
The racist remarks scattered among this comment thread make we want to puke--ignore them.
And precisely what race is Egor?
ReplyDeleteAwesome hack, Egor, you did well.
Man, why would they do this: @pk = PublicKey.find(params[:id]) ? Maybe current_account.public_keys.where(id: params[:id]) ? - without proxy - it's another security problem.
ReplyDeleteGood catch.
ReplyDeleteIt scares me that bugs like this exist in github. It also scares me that people scold you instead of them.
Good call for finding it and getting it fixed without any real damage.
Ignore all the moralfags :)
I'll say a couple things and Egor, I hope you read this.
ReplyDeleteYou were completely correct and anyone who says otherwise is simply wrong.
I have been programming since I was 7 years old, which was 1985. I let myself in my first "unlocked door" in a system when I was 11 years old. I put a nice sign up there letting them know I had been there and left without damaging anything. They put a lock on the door afterwards. I'm pretty sure that was the best way to teach them about the problem.
Hacking is virtuous. Teaching by example is the best way to teach. You can measure your success by the anger it causes.
Never stop being disruptive.
With solidarity,
Napolean
Nice work egor. Quite amazing work for a 19 yo actually. You will go far!
ReplyDeleteProps!
ReplyDeleteI love Russian guys. Well done in exploting and exposing this bug. It clearly shows why Linus Trovals hates GitHub, lol :)
ReplyDeleteI do not know Rails or Ruby, but from your description this looks shockingly similar to waht a naive register_globals=on would do for you in PHP. Such 'features' are a shame for any development stack.
ReplyDeleteYou did a nice job. Ignore the frustrated rail hackers (they must be hurting badly ... ouch! )
ReplyDeleteVery nice, Egor. Way to go!
ReplyDeleteYour approach might have been a bit harsh... but it was very effective.
Thanks for stirring this a bit.
Respect :)
ReplyDeleteThank you for nice explanation of the security problem i hate framework and cmq for this reasons
ReplyDelete"'Tis no heresy to show a LIBRARY is not secure. We shouldst reconcile our Brother Egor) to the Abbeye of Hub."
ReplyDelete(https://twitter.com/#!/GytOfHub/status/176625686365220864)
Interesting. I “hacked” a yahoo form like that >10 years ago (though I only used a nonexisting “neutral” in the gender field).
ReplyDeleteI never though things like that would still be possible today - or that they actually mean that you can not only change some harmless field but actually compromise the whole system.
Good catch, and thank you for reporting it!
I did a script one evening for a previous employer that showed which attributes on which models weren't whitelisted. They were "too busy" to implement my findings.
ReplyDeleteFor GitHub to have this issue shows just how far the "cool" loopy juice runs ...
That is why it is safe to host your own sites than rely on someon'es Rails app..
ReplyDeleteМолодой программист из России уделал крутых перцев из Github.
ReplyDeleteПо-детски всё это получилось. Надо было настойчивее постить багрепорты и написать отдельно в github о найденной уязвимости, потому-что github != rails.
Зато теперь проще будет найти работу :) Правда, для работы за пределами России придётся серъёзно заняться языком, потому что он у тебя реально ужасен. Для начал замени плиз все фразы типа 'X got Y' на 'X has Y', глаза болят.
А вообще удачи.
Power to you. Nice work. This kind of trivial hack (to perform, not to conceive of), done in a manner that isn't harmful, should not be punished. Sometimes it takes this kind of action to prove a point, which you have done brilliantly.
ReplyDeletePATRIOTS, WE NEED TO BOMBARD THIS "JUDGE" WITH FAXES. S/he just ruled against the farmers who sued Monsanto. If you can believe it, Monsanto has sued farmers for patent infringement - AND WON! - because some of Monsanto's seeds blew into these farmers' fields and mingled with their produce. These farmers filed a counter-lawsuit against Monsanto. BUT TO A "JEW" THERE'S NO SUCH THING AS A CONFLICT OF INTEREST. NOR IS IT CONSIDERED INJUSTICE TO SCREW A GENTILE IN COURT (Read the "jewish" talmud for confirmation of this fact: http://100777.com/protocols.). "Jewish" "judge" NAOMI BUCHWALD didn't hesitate to rule in favor or her "jewish" comrades at Monsanto where BILL GATES IS A MAJOR STOCKHOLDER. Her kind aren't even hiding it anymore; THEY'RE ACTIVELY PILLAGING THE GOYIM (HUMAN CATTLE - GENTILES) MORE EVERYDAY. Let our judeo-commie government know they're being assailed from every direction, and WILL BE until they pack up and move to their "homeland". Read about this case at: http://tinyurl.com/JewsRuleInFavorOfJews. Then fax this throwback Buchwald at (212) 637-2390.
ReplyDeleteDEAN BERRY MINISTRIES: "When a government outlaws 'terrorism', they're planning something for which 'terrorism' is the only recourse."
Well done dude!
ReplyDeleteUpdate page views numbers please :)
ReplyDeleteEgor, you make a good job..
ReplyDeleteYou showed how to be a geek geeks.
Best regards from Poland.
Respect Egor. You did the right thing and don't listen to stupid guys..
ReplyDeleteCome on guys, Egor tried to do a good thing, he reported politely on github issues page for rails and got ignored
ReplyDeleteNice one. Thanks for making RoR a bit more secure. Someone should really pay you for that.
ReplyDeleteAwesome hack, in the honorable style of the old MIT hacks. (To all the haters: you guys are losers, respect a brilliant hacker, and don't feel bad that you are stupid and Egor is smart. Just know he will get the chicks, like the guys at facebook ;))
ReplyDeleteSeriously, I guess I can see the GitHub side of things, you pretty much made them look like a bunch of fools.
Laughable how they tried to close the bug a couple times. These guys have their day jobs I guess? Then they can say "woohoo! I closed 1 security bug today, manager is happy, I can go home, where is my raise?"
For example, here is how you "punt":
"Rails is not in charge, it is your responsibility to secure your application. It is your responsibility to avoid XSS, to ensure that the user is editing a resource that belongs to him, etc."
Duoh!
Best comment by busyloop "Rails is all about conventions. Broken by default is not a good convention."
FYI: Egor, reconsider your hourly rate. Don't undersell yourself. Why should those chumps at GH be making more money than you? Check around what Rails security experts are charging. Market yourself. Get someone to represent you, i.e. hire on with a security company or create your own.
Nice job fella...
ReplyDeleteNice job...and people saying things like "you look like frankestein" or "your english sucks" should consider dying in favor of the humanity
ReplyDeleteQuote:
ReplyDelete"I love how Rails "hackers" are butthurting furiously. Yeah, people, some clever Russian guy just made you look fucking retarded. Serves you right.
Now come on, when you criticize Egor's English, please do it in Russian for additional lulz.
Все правильно сделал, Егор, ты охуенен. Переезжай в Израиль, у нас есть для тебя работа, серьезно :3"
+1
I love you Russians :)
-An American
This comment has been removed by the author.
ReplyDeleteThis is ridiculously simple! It is a shame for github.
ReplyDelete@Anonymous
ReplyDelete>Someone should really pay you for that.
no fuckin penny yet :)
@Юрий
шо, так ужасно ?) Интернет сленг меня испортил каюсь
@osman anything about jobs and positions - drop a line on my email pls
@ipoval yeah, I think they wrote it your way. No matter how - the problem is next line
@Опасносте израиль? Там тепло? если да - пиши на почту )
@Daniel Myasnikov ненужный хайп )
Good hack. To the haters, it could have been much worse - who knows if this has been done before and how many projects might have time bombs hidden in them now. This guy did us all a big favor.
ReplyDeleteJust wanted to say thanks for this hack. I would be out enjoying a beer after work, but now I have to update ssh keys for several developers.
ReplyDeleteTo all the anon's. If this guy is a brain dead retard, what does that make the people at GitHub and behind Rails for not catching this even when he was telling them, over and over again, that it existed? http://tinyurl.com/7ofdrn3
ReplyDeleteP.S. спасибо
P.P.S. Literally while I was typing this you posted awesome new article based around CSRF attacks, keep it up. :)
Егор красавчик, все прально сделал. Чувак я за твоим блогом слежу, я еще не видел чтоб так часто посты по дыркам обновлялись. Keep the good work!
ReplyDeleteEven though I am not into codes and all, I just showed it to my programmer friend and he found it to be useful. So thanks a lot.
ReplyDeleteMoving To Nyc
Igor, Mr. Putin will be extremely proud of you!
ReplyDeleteVery useful. This site is referenced in the MVC4 book "Professional ASP.NET MVC 4" on page 174.
ReplyDelete