Rails exploit compromises GitHub, many sites vulnerable

I know patching massive and longstanding security holes doesn’t contribute to “developer fun”, but neither does living in a world where GitHub (and by extension every project that uses it) are vulnerable to direct exploitation:

http://arstechnica.com/business/news/2012/03/hacker-commandeers-github-to-prove-vuln-in-ruby.ars

One Russian coder (Egor Homakov), one well-known exploit, and one high-visibility repo host later… Homakov has made his point, and the fun and games are over. ¬†It would also be high time to review any Rails code you have in production to see if you aren’t subject to the same vulnerability.

It is interesting to see that the Rails community’s initial response was to shift the blame to individual developers. ¬†Basically WONTFIX. But with a massively public exploit in their own back yard, namely a site most of us use daily for development infrastructure, I suspect they are going to find themselves in possession of a newfound energy to establish a secure-by-default fix.

Kudos to github for patching their vulnerability rather quickly, and for reinstating Homakov’s account.

About Joe Atzberger

Joe Atzberger (atz) is a library hacker in Palo Alto, CA. He worked with Galen at both LibLime and Equinox Software, Inc. as an open source developer on Koha and Evergreen. Joe currently works on Hydra and institutional digital repository infrastructure at Stanford.

Comments are closed.