How I hacked Github again

How I hacked Github again(homakov.blogspot.com)

911 points by zhuzhuor 12 years ago | 190 comments

jqueryin 12 years ago |

If @homakov is finding security holes without access to Github repositories, imagine what he'd find if you had him code audit for a few days... He's clearly been going about this the proper white-hat way and ensuring holes are patched before open disclosure... what's there to lose?

On the flip side, you could go about doing what you're doing under the presumption nobody is maliciously targeting your user base. In this scenario, it's possible you have a couple bad actors that see a net benefit greater than your bug bounties and are silently stealing and selling supposedly secure code from your users. You could be supporting a hacker black market where they sell and trade codebases to popular online sites. Imagine how easy it would be for them to find vulnerabilities in these sites if given access to the source code.

That, my friends, would be a catastrophe.

GuiA 12 years ago | |

I don't get why Github just hasn't hired the guy already.

Kudos 12 years ago | | |

In his earlier work at least, he's seemed like a loose cannon.

ojr 12 years ago | | |

he gets paid $400/hr doing consulting for YC Companies and other startups and companies, he is from Russia, and now lives in Bangkok, when he becomes rich he wants to live in Hong Kong, pretty nice for a 20 year old, I don't see any glaring reasons to work for Github http://egorhomakov.com/

teh_klev 12 years ago | | |

He's mentioned before that he's not into full-time work:

https://news.ycombinator.com/item?id=7136027

eik3_de 12 years ago | |

Completely agree, GitHub private repos are a huge target. Even if you use 2FA, after login it's just a cookie that separates the good from the bad. How could GH improve that? Client-side SSL Certs?

chimeracoder 12 years ago | | |

If you're talking about for company projects, the enterprise version of Github is self-hosted (e.g. on a VPN): https://enterprise.github.com/

sebastiank123 12 years ago | |

Guys, why are you still hanging out on Github? There are so much better on-premise solutions like RhodeCode (https://rhodecode.com) or Gitbucket (https://github.com/takezoe/gitbucket) existing. And they are even free.

mpeg 12 years ago | |

But hiring him offers no guarantee that he will be able to find any other bugs.

That's the beauty of bounties, it allows people to decide whether they want to do the right thing or not, if there was no bug bounty more people are just tempted to exploit the bug.

enscr 12 years ago |

Github uses ruby on rails, which is a pretty mature framework, perhaps covering most of the common security pitfalls. Additionally, I assume github has excellent programmers because of the nature of their job.

Could someone explain in simple english, how did they overlook known & well documented bugs that got them hacked (e.g. Bug 3 about cross domain injection). I'm wondering if someone of Github's caliber can be hacked so easily, what about the rest of the masses developing web apps. Especially all those new crypto-currency exchanges popping up left & right.

I've been toying with Django. Reading through the docs makes me feel that as long as I follow the safety guidelines, my app should be safe. It feels as if they've got you covered. But this post rattles my confidence.

sdegutis 12 years ago |

> $4000 reward is OK.

$4000 !? Wow, I'd love to be able to make $4000 on the side just doing what I love.

> Interestingly, it would be even cheaper for them to buy like 4-5 hours of my consulting services at $400/hr = $1600.

This sounds like a pretty clever strategy for marketing yourself as an effective security consultant.

EDIT: $4000!? wow. so money. such big.

eli 12 years ago | |

Repeatedly and publicly demonstrating how good you are is probably a good way to market yourself in any field.

sdegutis 12 years ago | | |

I will certainly have to try it. Although by doing this with programming, it's probably not as easy to get to the top of HN.

nicholassmith 12 years ago | |

I'm pretty sure Egor's first language isn't English, so OK might mean 'meh it's alright' through to 'hey this is great'. I know a few non-native speakers who do similar things.

homakov 12 years ago | | |

OK means it's OK but could be better :P

coherentpony 12 years ago | |

According to his website, the minimum time you can buy services for is 8 hours so I'm not sure what he means here.

claudius 12 years ago | | |

8 hours at 400$/hour will still only be 3200$ and he can presumably spend the remaining 4-3 hours doing more security analysis with less overhead, so it might still be cheaper to hire him as a consultant.

chrisrh 12 years ago | |

Perhaps that was not the tone intended. Or perhaps relative to the damage he'd be capable of causing $4000 is small.

danso 12 years ago | |

For some context, checkout homakov's compilation of white-hat "hustlers" and the bounties they've received:

http://www.sakurity.com/hustlers

ultimoo 12 years ago |

@homakov finds 5 different bugs with github and manages to align them so that a bigger vulnerability is exposed in under 5 hours? That's amazing! I used to think I'm a fast delivery-focused developer but I'm probably just a fraction of how fast some people are.

phillmv 12 years ago | |

He's not counting all the time he's spent carefully reading the oauth spec and playing with different options ;).

lostlogin 12 years ago | | |

Or the time he spent learning to get to the level of expertise he has. Maybe that is why his hourly rate is somewhat more than mine.

allochthon 12 years ago | |

This guy is like a good security QA guy on steroids.

throwaway3301 12 years ago |

How can I start learning about how to identify exploits like this? I know some basics about web application security and work as a software engineer on a day-to-day basis but security has always been a passion of mine and I have always wanted to be able to support myself through working on security alone (by collecting rewards through bounty programs, self-employed security consulting, working at a security consulting firm like Matasano, or some combination thereof) but I don't know where to start. I want to learn the ins and outs of web application security instead of just understanding the OWASP top 10 and having a strong interest in certain topics (like HTTPS/SSL vulnerabilities). When I read disclosures from people like Egor I grasp the steps they are taking to craft an exploit like this as they are explained but I don't know how to identify these exploits on my own.

Can anyone recommend some reading material or some first steps I can take to work towards moving to a more security-focus career?

Thanks.

rst 12 years ago | |

Like a lot of other things, practice matters. OWASP has some deliberately insecure webapps which are meant to give people practice spotting and exploiting vulnerabilities (WebGoat, RailsGoat, PyGoat, probably others). There are also "capture the flag" competitions of the sort run every so often by Stripe; Matasano currently has one going as well, focused on embedded systems:

http://www.matasano.com/matasano-square-microcontroller-ctf/

jensC 12 years ago | | |

Matasanos CTF is hard. At least I think so, but a good start anyway.

derengel 12 years ago |

I'm the only that thinks that $4000 was very cheap on part of Github? a security hole like this on the wrong hands would have bring severe consequences to github, consequences so big that they would probably pay $1,000,000 USD for it to never happen. So maybe something in the $50-100K would sound more reasonable. Egor is a great hacker with no business sense? On the other hand, the publicity his service gets for this its probably worth more than $50-100K.

nolok 12 years ago | |

No you're not alone, considering this was a combination of security holes that allowed people to get read/write access to others repos, including private.

philliphaydon 12 years ago | |

I'm really glad Github paid him, but reading what the exploit can do I really think he deserves more, sure they were a series of small exploits, but all together... they are pretty damaging in the wrong hands.

thrush 12 years ago |

"Btw it was the same bug I found in VK.com"

Is there an easy way to see what vulnerabilities other websites have had and fixed, and to check if your site has them as well?

akerl_ 12 years ago |

"P.S.2 Love donating? Help Egor on coinbase or paypal: homakov@gmail.com"

Maybe it's just me, but asking for donations after saying you bill clients at $400/hr seems weird to me. I wish I could bill at that rate.

homakov 12 years ago | |

There's a number of people who would like donate but not interested in consulting..

There were always people complaining "Add a donate address"

Now "why you added a donate address". Oh, Internet.

rdl 12 years ago | | |

Is there a way to guarantee you will spend donations on alcohol and not waste them on things like rent or food?

akerl_ 12 years ago | | |

At least in my experience, I donate to groups that do good work but aren't getting paid for it. I wouldn't donate to people who are being paid (quite handsomely, in this case) for their labor. Especially when he's already clarified that GitHub paid him more than he thought his time was worth.

patcon 12 years ago | |

If you think $400/hr is great, you should see the rate for black-hatting :P

shabble 12 years ago | | |

Although you probably should factor in the possibility of several years of compulsory $0.30/hr labour, plus forfeiture of all your ill-gotten gains (and probably some healthily-gotten ones too, they're not so fussy)

And that's before legal costs and possible restitution.

</jokeruiner>

6cxs2hd6 12 years ago | |

Sure, I had a similar first reaction, but thought about it. If you have skills but haven't yet developed a deep-enough client base, you're in a quandary. You can't bill for $10/hour, or no one will take you seriously. You need perceived value, so you have to quote some reasonably high rate, even if you case-by-case discount it or work gratis.

(At least that's how I imagine it must work. I've never consulted.)

jmathai 12 years ago | |

Not everyone's time is equal. If you're finding security holes like Egor then an hour of your time is absolutely worth $400/hr.

akerl_ 12 years ago | | |

I totally believe that he's worth that amount of money. I'm sorry if you thought I was questioning that. I'm questioning the juxtaposition of his hourly rate with a request for donations.

jedicoffee 12 years ago | |

Yea this is derp.

ChuckMcM 12 years ago |

Grats Egor, once again a great explanation of how these things add up into vulunerabilities.

nightpool 12 years ago |

As soon as I saw the new bounty program the first thought through my head was "Any Github Hacking leaderboard without homakov at tthe top is an inaccurate one". Congrats on your newest discovery!

gabrtv 12 years ago |

Impressive display of persistence, stringing together those vulnerabilities. I also see your English has gotten noticeably better :) Keep up the good work!

TomaszZielinski 12 years ago | |

Not suggesting anything, but "your" might be the key here :-)

leandrocp 12 years ago |

@homakov, have you thought about selling screencasts ?

homakov 12 years ago | |

Security screencasts with Russian accent? HA HA.

YuriNiyazov 12 years ago | | |

Especially with a Russian accent. Gives it a very "if you don't do like I say, other Russians will come and steal your shit" aura.

petepete 12 years ago | | |

I'm pretty much sold!

beambot 12 years ago | | |

Sure, why not? Notch does coding casts. And WhiteRa (SC2) makes some great casts, even (especially?) with his strong accent!

tortilla 12 years ago | | |

I think it would add to the video. :)

nakovet 12 years ago |

One thing that I didn't get from the post:

> Oh my, another OAuth anti-pattern! Clients should never reveal actual access_token to the user agent.

From what I understood by reading the OAuth RFC is that front-end intensive applications (a.k.a. public client) should have short lifespan access tokens (~ 2 hours) and the back-end takes care of reissuing a new access token when expired.

Can someone clarify on how to make a those calls from a front-end application without revealing the access token?

homakov 12 years ago | |

But gist is not a front end app. Gist has web frontend and Rails backend, which is supposed to store the token safely.

interstitial 12 years ago |

Half the comments are about his pay scale, imagine the ruckus if he had been paid in unwithdrawable bitcoins at mtgox.

Einstalbert 12 years ago | |

$400 is such chump change compared to the PR disaster that can come from exploited, or even just leaked, vulnerabilities. I honestly think any SaaS needs to have this somewhere in their budget once a year.

desireco42 12 years ago |

One more comment. Security flaws seem obvious, but getting security right is hard. It require a lot of testing and effort to get everything right. This kid Homakov has a talent for finding holes and seems that has his hard on right place ie. isn't abusing it.

ivanca 12 years ago |

Really good work @homakov and I suggest you should start a web-security-school or something of the sort. I'm sure there is money in that field and you would be able to keep traveling around the world while doing it.

desireco42 12 years ago |

Why is GitHub so hostile to this kid, just give him a job already! He obviously has deep understanding of how things work. I would feel better knowing he work for them.

RickHull 12 years ago | |

Huh? Did you read the letter from github? It closes out: "Thanks again for your awesome work."

http://2.bp.blogspot.com/-xqPTMgxhYmY/UvUCrsc9C8I/AAAAAAAADk...

bliti 12 years ago | |

He clearly states in his blog that full time employment is not his current focus. Prefers to consult.

desireco42 12 years ago | | |

I am consultant as well, I can be wooed with right offer and if I am interested in something. He obviously is interested in GitHub. I think they are still pissed off from last time when he found flaws.

aroman 12 years ago |

Wow, really clever stuff! Also of note is the $4,000 reward he received from GitHub's bounty program — their largest to date, according to the email.

mtkd 12 years ago |

Github should have hired him last time.

jisaacks 12 years ago | |

Maybe they offered? Maybe he can make more consulting.

kirubakaran 12 years ago | | |

I think the parent means "hired as a consultant"

Kiro 12 years ago |

How do you find all this stuff? Where do you even start?

runn1ng 12 years ago |

OK. I give up. No matter how much I try, I will never be as cool as @homakov.

jbeja 12 years ago | |

That no reason to give up, you are completely forbidden to do that >.<.

Tobu 12 years ago |

WTF is up with Firefox and Chrome not fixing their /// bug. They're prioritising neither user security nor standards-compliance.

homakov 12 years ago | |

Oh, there are tons of other silly wontfixes. I gave up. They really don't care about web apps. E.g. instead of /../ i could have used /%2e%2e/!

livingparadox 12 years ago |

Seeing stuff like this, I want to get into comp-sec. It always sounded interesting, and it looks like it pays well...

akerl_ 12 years ago | |

I'd put this in the same category as mobile app dev. There are a few people making money by the truckload, plenty of people making a decent living, and lots of folks who strike out.

If it's something you're interested in, go for it. I just worry that people see this like the promise of gold in a faraway land and go rushing in, not thinking about the real distribution of success.

JabavuAdams 12 years ago | | |

Good old power-laws.

shill 12 years ago | |

It pays well if you are the guy that has hacked GitHub twice.

Anderkent 12 years ago | |

Remember that you only see the interesting stories and successful investigations. Before making such a decision you should try to arrange a chat with someone already doing comp-sec, and figure out how much time they spend on all the other stuff.

knocknock 12 years ago | |

Anyone know some good beginner reading material for someone interested in learning this kinda stuff?

big_youth 12 years ago | | |

I recommend grabbing a copy of Web Application Hackers Handbook[0] and try hacking vulnerable vm's[1].

I see that your a sysadmin so if network hacking is more you speed I would download Metasploit[2] and start hacking old linux or windows distros.

[0]http://www.amazon.com/The-Web-Application-Hackers-Handbook/d... [1]http://itsecgames.blogspot.com/2013/07/bee-box-hack-and-defa... [2] http://www.metasploit.com/

rip747 12 years ago |

every post this guy has about the security holes he has found are impressive to say the least.

Omnipresent 12 years ago |

It would be great for educational purposes if a sample app was setup so this vulnerability could be tried on it. Most of the white hack vulnerabilities are fixed by the time white hat blog posts come out so there is no way to actually try them out.

bashcoder 12 years ago |

Thanks for continuing to make Github safer for all, @homakov. Someday I might even host a private repo there again, but I haven't done that since your first mass assignment exploit. You continue to prove that my decision was a good one.

peterwwillis 12 years ago |

This would be a great case study if expanded on and edited. Igor should write a book!

yarou 12 years ago |

Very cool write-up of non-critical bugs that can be used together to inflict some serious damage. Great work @homakov!

afarra 12 years ago |

Does anyone know of a website or central resource that documents all these vulnerabilities to look out for?

syshax 12 years ago | |

Start here:

https://www.owasp.org/index.php/Top_10_2013-Top_10

outside1234 12 years ago |

why hasn't GitHub hired this guy?

intortus 12 years ago |

Shame on github for making these mistakes in the first place, but kudos to them for doing such a great job of engaging the white hats.

homakov 12 years ago | |

It's hard to shame github for those bugs. All of them are low-sev separately, only together they make sense.

shill 12 years ago | | |

Nice work Egor. I hope to see a GitHub client testimonial on sakurity.com sometime soon.

akerl_ 12 years ago | |

If we're shaming any code with security flaws, no one is free of shame. I'm excited by the bounty program, it's a great way to get things like this identified and responsibly disclosed

intortus 12 years ago | | |

I agree that flaws will always exist, but I don't understand why it's ever worth it to not be absolutely strict about matching redirect_uri in OAuth.

patcon 12 years ago | |

Sorry, but this is a terrible approach to thinking about progressive and open security practices...

ng6tf7t87tyf 12 years ago |

Ruby Brogrammer Security Fail yet again.

Friends don't let friends code in Fails frameworks.

akerl_ 12 years ago | |

Can you clarify how this issue was specific to their choice of framework?

ivanca 12 years ago | |

'comrade1' you have been hell banned since almost one year ago so (almost) no-one can read your posts.

pgs_pants 12 years ago |

Firstly, well done. It is good to see well done security eval.

But github, seriously? Why do you guys fail so hard at security?

Too much Brogrammer rather than programmer methinks.

korzun 12 years ago | |

Ironically, you sound like a brogrammer.

Over two decades the CIA had learned again and again that it could not hope to defend against terrorists by relying solely on its ability to detect specific attacks in advance. No matter how many warnings they picked up, no matter how many terrorist cells they disrupted, at least some attackers were going to get through. Officers in the CTC privately compared themselves to soccer goalies: They wanted to be the best in their league, they wanted to record as many shutouts as possible, but they knew they were going to give up scores to their opponents. Ultimately, many of them believed, the only way to defeat terrorists was to get out of the net and try to take the enemy off the field.[1]