I simply added a <input value=USER_ID name=public_key[user_id]> field to Public key update form, where USER_ID = 4223 (from https://api.github.com/users/rails).
@key = PublicKey.find(params[:id])
@key.update_attributes(params[:public_key]) #Oh no! We passed public_key[user_id] of our victim!
Now our victim (Rails) has our public key associated with their account. You can read/write in any public/private repo on github.
Thoughts on this from 2014:
it was one of my first hacks and I didn't know how to behave. I was angry because nobody wanted to take me and mass-assignment issue seriously. After I did the commit this vulnerability was fixed on github within 1 hour and in rails within 5 hours. This was really effective, many people learned about the bug and fixed it in their apps, but I still regret about this irresponsible disclosure.
Hi, if you reported this to github before using it, could you paste the mail with headers as a blog post? A lot of people think you behaved badly because you didn't report to github first, but I read in a comment that you did.ReplyDelete
It was reported with a link to the commit.ReplyDelete
Yeah, there's the problem. You reported it via exploiting it AND POSTING WHAT YOU DID IN A PUBLIC MEDIUM. Then, and ONLY then did you report it.ReplyDelete
Thank you for nice explanation of the security problem.ReplyDelete
intersting it is ? yesReplyDelete
How's your Russian?ReplyDelete
Some of you butthurt anons should just stfu, who gives a shit if english isn't his first language or what the dude looks like in his pic. He just exposed a massive hole that GH tried to ignore and made the world pay attention to his findings.ReplyDelete
He should have planted a backdoor in rails and wiped the commit log to pwn all your arrogant pretty boy english speaking asses at his leisure.
Congrats on finding a vulnerability. The truth is, there are more that aren't being addressed. I have known about this one for awhile but not tested it in most recent version of rails. That's not why I am writing you though.
You are young and passionate about programming - I love that. I have about 10+ years experience on you so let me share one thing I learned early on in my career: Be careful when trying to prove your point in tech. While this backlash may seem tame, if you choose to do something similar with the wrong client, they could make life very unpleasant. Choose your battles very wisely. Sometimes it is better to be a teacher then a hacktivist :)
Good luck with your career and all the opportunities.
Clap clap clapReplyDelete
Very smart hack. However, as mh stated, maybe not the best way to expose the vulnerability into public. You may get into serious trouble, maybe not because it is Github, you know.. they might end up hiring you, but you probably wouldnt have the same luck against Microsoft :)
Nice work. FULL DISCLOSUREReplyDelete
That is cool my friendReplyDelete
Егор ты прям звездой стал на Хакер Ньюз ;)ReplyDelete
I love how Rails "hackers" are butthurting furiously. Yeah, people, some clever Russian guy just made you look fucking retarded. Serves you right.ReplyDelete
Now come on, when you criticize Egor's English, please do it in Russian for additional lulz.
Все правильно сделал, Егор, ты охуенен. Переезжай в Израиль, у нас есть для тебя работа, серьезно :3
Thanks for the explanation. The hack is really clever :-)ReplyDelete
Thanks for the details.ReplyDelete
As some others said, there are some things you didn't do the best way (commit master @rails), but the rails core dev team pushed you to do it by ignoring you.
Good work - really disheartened by some of the racist/direspectful comments.ReplyDelete
Egor, Thanks for a) finding this and b) reporting it. If anything you have made github a safer place. I don't understand the suspension on behalf of github, You basically helped them save some big headaches and $ in the long run.ReplyDelete
wow--nice one. i'm relieved that serious holes like this are occasionally found first by the good guys.ReplyDelete
so my repo is less vulnerable than it was before, so thanks.
looks to me like you did no more than what was necessary to get the attention of those responsible for fixing it.
The racist remarks scattered among this comment thread make we want to puke--ignore them.
And precisely what race is Egor?ReplyDelete
Awesome hack, Egor, you did well.
Man, why would they do this: @pk = PublicKey.find(params[:id]) ? Maybe current_account.public_keys.where(id: params[:id]) ? - without proxy - it's another security problem.ReplyDelete
It scares me that bugs like this exist in github. It also scares me that people scold you instead of them.
Good call for finding it and getting it fixed without any real damage.
Ignore all the moralfags :)
I'll say a couple things and Egor, I hope you read this.ReplyDelete
You were completely correct and anyone who says otherwise is simply wrong.
I have been programming since I was 7 years old, which was 1985. I let myself in my first "unlocked door" in a system when I was 11 years old. I put a nice sign up there letting them know I had been there and left without damaging anything. They put a lock on the door afterwards. I'm pretty sure that was the best way to teach them about the problem.
Hacking is virtuous. Teaching by example is the best way to teach. You can measure your success by the anger it causes.
Never stop being disruptive.
Nice work egor. Quite amazing work for a 19 yo actually. You will go far!ReplyDelete
I love Russian guys. Well done in exploting and exposing this bug. It clearly shows why Linus Trovals hates GitHub, lol :)ReplyDelete
I do not know Rails or Ruby, but from your description this looks shockingly similar to waht a naive register_globals=on would do for you in PHP. Such 'features' are a shame for any development stack.ReplyDelete
You did a nice job. Ignore the frustrated rail hackers (they must be hurting badly ... ouch! )ReplyDelete
Very nice, Egor. Way to go!ReplyDelete
Your approach might have been a bit harsh... but it was very effective.
Thanks for stirring this a bit.
Thank you for nice explanation of the security problem i hate framework and cmq for this reasonsReplyDelete
"'Tis no heresy to show a LIBRARY is not secure. We shouldst reconcile our Brother Egor) to the Abbeye of Hub."ReplyDelete
Interesting. I “hacked” a yahoo form like that >10 years ago (though I only used a nonexisting “neutral” in the gender field).ReplyDelete
I never though things like that would still be possible today - or that they actually mean that you can not only change some harmless field but actually compromise the whole system.
Good catch, and thank you for reporting it!
I did a script one evening for a previous employer that showed which attributes on which models weren't whitelisted. They were "too busy" to implement my findings.ReplyDelete
For GitHub to have this issue shows just how far the "cool" loopy juice runs ...
That is why it is safe to host your own sites than rely on someon'es Rails app..ReplyDelete
Молодой программист из России уделал крутых перцев из Github.ReplyDelete
По-детски всё это получилось. Надо было настойчивее постить багрепорты и написать отдельно в github о найденной уязвимости, потому-что github != rails.
Зато теперь проще будет найти работу :) Правда, для работы за пределами России придётся серъёзно заняться языком, потому что он у тебя реально ужасен. Для начал замени плиз все фразы типа 'X got Y' на 'X has Y', глаза болят.
А вообще удачи.
Power to you. Nice work. This kind of trivial hack (to perform, not to conceive of), done in a manner that isn't harmful, should not be punished. Sometimes it takes this kind of action to prove a point, which you have done brilliantly.ReplyDelete
PATRIOTS, WE NEED TO BOMBARD THIS "JUDGE" WITH FAXES. S/he just ruled against the farmers who sued Monsanto. If you can believe it, Monsanto has sued farmers for patent infringement - AND WON! - because some of Monsanto's seeds blew into these farmers' fields and mingled with their produce. These farmers filed a counter-lawsuit against Monsanto. BUT TO A "JEW" THERE'S NO SUCH THING AS A CONFLICT OF INTEREST. NOR IS IT CONSIDERED INJUSTICE TO SCREW A GENTILE IN COURT (Read the "jewish" talmud for confirmation of this fact: http://100777.com/protocols.). "Jewish" "judge" NAOMI BUCHWALD didn't hesitate to rule in favor or her "jewish" comrades at Monsanto where BILL GATES IS A MAJOR STOCKHOLDER. Her kind aren't even hiding it anymore; THEY'RE ACTIVELY PILLAGING THE GOYIM (HUMAN CATTLE - GENTILES) MORE EVERYDAY. Let our judeo-commie government know they're being assailed from every direction, and WILL BE until they pack up and move to their "homeland". Read about this case at: http://tinyurl.com/JewsRuleInFavorOfJews. Then fax this throwback Buchwald at (212) 637-2390.ReplyDelete
DEAN BERRY MINISTRIES: "When a government outlaws 'terrorism', they're planning something for which 'terrorism' is the only recourse."
Well done dude!ReplyDelete
Update page views numbers please :)ReplyDelete
Egor, you make a good job..ReplyDelete
You showed how to be a geek geeks.
Best regards from Poland.
Respect Egor. You did the right thing and don't listen to stupid guys..ReplyDelete
Come on guys, Egor tried to do a good thing, he reported politely on github issues page for rails and got ignoredReplyDelete
Nice one. Thanks for making RoR a bit more secure. Someone should really pay you for that.ReplyDelete
Awesome hack, in the honorable style of the old MIT hacks. (To all the haters: you guys are losers, respect a brilliant hacker, and don't feel bad that you are stupid and Egor is smart. Just know he will get the chicks, like the guys at facebook ;))ReplyDelete
Seriously, I guess I can see the GitHub side of things, you pretty much made them look like a bunch of fools.
Laughable how they tried to close the bug a couple times. These guys have their day jobs I guess? Then they can say "woohoo! I closed 1 security bug today, manager is happy, I can go home, where is my raise?"
For example, here is how you "punt":
"Rails is not in charge, it is your responsibility to secure your application. It is your responsibility to avoid XSS, to ensure that the user is editing a resource that belongs to him, etc."
Best comment by busyloop "Rails is all about conventions. Broken by default is not a good convention."
FYI: Egor, reconsider your hourly rate. Don't undersell yourself. Why should those chumps at GH be making more money than you? Check around what Rails security experts are charging. Market yourself. Get someone to represent you, i.e. hire on with a security company or create your own.
Nice job fella...ReplyDelete
Nice job...and people saying things like "you look like frankestein" or "your english sucks" should consider dying in favor of the humanityReplyDelete
"I love how Rails "hackers" are butthurting furiously. Yeah, people, some clever Russian guy just made you look fucking retarded. Serves you right.
Now come on, when you criticize Egor's English, please do it in Russian for additional lulz.
Все правильно сделал, Егор, ты охуенен. Переезжай в Израиль, у нас есть для тебя работа, серьезно :3"
I love you Russians :)
This comment has been removed by the author.ReplyDelete
This is ridiculously simple! It is a shame for github.ReplyDelete
>Someone should really pay you for that.
no fuckin penny yet :)
шо, так ужасно ?) Интернет сленг меня испортил каюсь
@osman anything about jobs and positions - drop a line on my email pls
@ipoval yeah, I think they wrote it your way. No matter how - the problem is next line
@Опасносте израиль? Там тепло? если да - пиши на почту )
@Daniel Myasnikov ненужный хайп )
Good hack. To the haters, it could have been much worse - who knows if this has been done before and how many projects might have time bombs hidden in them now. This guy did us all a big favor.ReplyDelete
Just wanted to say thanks for this hack. I would be out enjoying a beer after work, but now I have to update ssh keys for several developers.ReplyDelete
To all the anon's. If this guy is a brain dead retard, what does that make the people at GitHub and behind Rails for not catching this even when he was telling them, over and over again, that it existed? http://tinyurl.com/7ofdrn3ReplyDelete
P.P.S. Literally while I was typing this you posted awesome new article based around CSRF attacks, keep it up. :)
Егор красавчик, все прально сделал. Чувак я за твоим блогом слежу, я еще не видел чтоб так часто посты по дыркам обновлялись. Keep the good work!ReplyDelete
Even though I am not into codes and all, I just showed it to my programmer friend and he found it to be useful. So thanks a lot.ReplyDelete
Moving To Nyc
Igor, Mr. Putin will be extremely proud of you!ReplyDelete
Very useful. This site is referenced in the MVC4 book "Professional ASP.NET MVC 4" on page 174.ReplyDelete