How I hacked Github again (opens in new tab)

If @homakov is finding security holes without access to Github repositories, imagine what he'd find if you had him code audit for a few days... He's clearly been going about this the proper white-hat way and ensuring holes are patched before open disclosure... what's there to lose?

On the flip side, you could go about doing what you're doing under the presumption nobody is maliciously targeting your user base. In this scenario, it's possible you have a couple bad actors that see a net benefit greater than your bug bounties and are silently stealing and selling supposedly secure code from your users. You could be supporting a hacker black market where they sell and trade codebases to popular online sites. Imagine how easy it would be for them to find vulnerabilities in these sites if given access to the source code.

That, my friends, would be a catastrophe.

Github uses ruby on rails, which is a pretty mature framework, perhaps covering most of the common security pitfalls. Additionally, I assume github has excellent programmers because of the nature of their job.

Could someone explain in simple english, how did they overlook known & well documented bugs that got them hacked (e.g. Bug 3 about cross domain injection). I'm wondering if someone of Github's caliber can be hacked so easily, what about the rest of the masses developing web apps. Especially all those new crypto-currency exchanges popping up left & right.

I've been toying with Django. Reading through the docs makes me feel that as long as I follow the safety guidelines, my app should be safe. It feels as if they've got you covered. But this post rattles my confidence.

> $4000 reward is OK.

$4000 !? Wow, I'd love to be able to make $4000 on the side just doing what I love.

> Interestingly, it would be even cheaper for them to buy like 4-5 hours of my consulting services at $400/hr = $1600.

This sounds like a pretty clever strategy for marketing yourself as an effective security consultant.

EDIT: $4000!? wow. so money. such big.

@homakov finds 5 different bugs with github and manages to align them so that a bigger vulnerability is exposed in under 5 hours? That's amazing! I used to think I'm a fast delivery-focused developer but I'm probably just a fraction of how fast some people are.

How can I start learning about how to identify exploits like this? I know some basics about web application security and work as a software engineer on a day-to-day basis but security has always been a passion of mine and I have always wanted to be able to support myself through working on security alone (by collecting rewards through bounty programs, self-employed security consulting, working at a security consulting firm like Matasano, or some combination thereof) but I don't know where to start. I want to learn the ins and outs of web application security instead of just understanding the OWASP top 10 and having a strong interest in certain topics (like HTTPS/SSL vulnerabilities). When I read disclosures from people like Egor I grasp the steps they are taking to craft an exploit like this as they are explained but I don't know how to identify these exploits on my own.

Can anyone recommend some reading material or some first steps I can take to work towards moving to a more security-focus career?

Thanks.

I'm the only that thinks that $4000 was very cheap on part of Github? a security hole like this on the wrong hands would have bring severe consequences to github, consequences so big that they would probably pay $1,000,000 USD for it to never happen. So maybe something in the $50-100K would sound more reasonable. Egor is a great hacker with no business sense? On the other hand, the publicity his service gets for this its probably worth more than $50-100K.

"Btw it was the same bug I found in VK.com"

Is there an easy way to see what vulnerabilities other websites have had and fixed, and to check if your site has them as well?

"P.S.2 Love donating? Help Egor on coinbase or paypal: homakov@gmail.com"

Maybe it's just me, but asking for donations after saying you bill clients at $400/hr seems weird to me. I wish I could bill at that rate.

Grats Egor, once again a great explanation of how these things add up into vulunerabilities.

As soon as I saw the new bounty program the first thought through my head was "Any Github Hacking leaderboard without homakov at tthe top is an inaccurate one". Congrats on your newest discovery!

Impressive display of persistence, stringing together those vulnerabilities. I also see your English has gotten noticeably better :) Keep up the good work!

@homakov, have you thought about selling screencasts ?

One thing that I didn't get from the post:

> Oh my, another OAuth anti-pattern! Clients should never reveal actual access_token to the user agent.

From what I understood by reading the OAuth RFC is that front-end intensive applications (a.k.a. public client) should have short lifespan access tokens (~ 2 hours) and the back-end takes care of reissuing a new access token when expired.

Can someone clarify on how to make a those calls from a front-end application without revealing the access token?

Half the comments are about his pay scale, imagine the ruckus if he had been paid in unwithdrawable bitcoins at mtgox.

One more comment. Security flaws seem obvious, but getting security right is hard. It require a lot of testing and effort to get everything right. This kid Homakov has a talent for finding holes and seems that has his hard on right place ie. isn't abusing it.

Really good work @homakov and I suggest you should start a web-security-school or something of the sort. I'm sure there is money in that field and you would be able to keep traveling around the world while doing it.

Why is GitHub so hostile to this kid, just give him a job already! He obviously has deep understanding of how things work. I would feel better knowing he work for them.

Wow, really clever stuff! Also of note is the $4,000 reward he received from GitHub's bounty program — their largest to date, according to the email.

Github should have hired him last time.

How do you find all this stuff? Where do you even start?

OK. I give up. No matter how much I try, I will never be as cool as @homakov.

WTF is up with Firefox and Chrome not fixing their /// bug. They're prioritising neither user security nor standards-compliance.

Seeing stuff like this, I want to get into comp-sec. It always sounded interesting, and it looks like it pays well...

every post this guy has about the security holes he has found are impressive to say the least.

It would be great for educational purposes if a sample app was setup so this vulnerability could be tried on it. Most of the white hack vulnerabilities are fixed by the time white hat blog posts come out so there is no way to actually try them out.

Thanks for continuing to make Github safer for all, @homakov. Someday I might even host a private repo there again, but I haven't done that since your first mass assignment exploit. You continue to prove that my decision was a good one.

This would be a great case study if expanded on and edited. Igor should write a book!

Very cool write-up of non-critical bugs that can be used together to inflict some serious damage. Great work @homakov!

Does anyone know of a website or central resource that documents all these vulnerabilities to look out for?

why hasn't GitHub hired this guy?

Shame on github for making these mistakes in the first place, but kudos to them for doing such a great job of engaging the white hats.

Ruby Brogrammer Security Fail yet again.

Friends don't let friends code in Fails frameworks.

Firstly, well done. It is good to see well done security eval.

But github, seriously? Why do you guys fail so hard at security?

Too much Brogrammer rather than programmer methinks.