
How I hacked Github again - zhuzhuor
http://homakov.blogspot.com/2014/02/how-i-hacked-github-again.html
======
jqueryin
If @homakov is finding security holes without access to Github repositories,
imagine what he'd find if you had him code audit for a few days... He's
clearly been going about this the proper white-hat way and ensuring holes are
patched before open disclosure... what's there to lose?

On the flip side, you could go about doing what you're doing under the
presumption nobody is maliciously targeting your user base. In this scenario,
it's possible you have a couple bad actors that see a net benefit greater than
your bug bounties and are silently stealing and selling supposedly secure code
from your users. You could be supporting a hacker black market where they sell
and trade codebases to popular online sites. Imagine how easy it would be for
them to find vulnerabilities in these sites if given access to the source
code.

That, my friends, would be a catastrophe.

~~~
GuiA
I don't get why Github just hasn't hired the guy already.

~~~
Kudos
In his earlier work at least, he's seemed like a loose cannon.

~~~
igorhvr
I don't think that is a fair assessment of him, even then.

At any case, I hired him fairly recently for a security audit and he worked
quickly, and was very effective (he found several important vulnerabilities
and reported them in a crystal clear manner). He was also a pleasure to deal
with (no bullshit stance, something I find enjoyable).

The 4000 USD for ~20 hours of work were definitely well spent!

~~~
Kudos
The parent was asking why Github haven't hired him, not why nobody has hired
him. If you remember, Github actually banned him for hacking the Rails account
in his pentesting.

------
enscr
Github uses ruby on rails, which is a pretty mature framework, perhaps
covering most of the common security pitfalls. Additionally, I assume github
has excellent programmers because of the nature of their job.

Could someone explain in simple english, how did they overlook known & well
documented bugs that got them hacked (e.g. Bug 3 about cross domain
injection). I'm wondering if someone of Github's caliber can be hacked so
easily, what about the rest of the masses developing web apps. Especially all
those new crypto-currency exchanges popping up left & right.

I've been toying with Django. Reading through the docs makes me feel that as
long as I follow the safety guidelines, my app should be safe. It feels as if
they've got you covered. But this post rattles my confidence.

~~~
homakov
///host.com bug is _not_ well documented. It's "0day" for most of websites.

~~~
enscr
Got it! Just worried about the rest of us folks who can't pay you $400/hr :)

Cheers !

~~~
tmzt
Read every single post on his blog.

------
sdegutis
> _$4000 reward is OK._

$4000 !? Wow, I'd love to be able to make $4000 on the side just doing what I
love.

> _Interestingly, it would be even cheaper for them to buy like 4-5 hours of
> my consulting services at $400 /hr = $1600._

This sounds like a pretty clever strategy for marketing yourself as an
effective security consultant.

EDIT: $4000!? wow. so money. such big.

~~~
eli
Repeatedly and publicly demonstrating how good you are is probably a good way
to market yourself in any field.

~~~
sdegutis
I will certainly have to try it. Although by doing this with programming, it's
probably not as easy to get to the top of HN.

------
ultimoo
@homakov finds 5 different bugs with github and manages to align them so that
a bigger vulnerability is exposed in _under 5 hours_? That's amazing! I used
to think I'm a fast delivery-focused developer but I'm probably just a
fraction of how fast some people are.

~~~
phillmv
He's not counting all the time he's spent carefully reading the oauth spec and
playing with different options ;).

~~~
lostlogin
Or the time he spent learning to get to the level of expertise he has. Maybe
that is why his hourly rate is somewhat more than mine.

------
throwaway3301
How can I start learning about how to identify exploits like this? I know some
basics about web application security and work as a software engineer on a
day-to-day basis but security has always been a passion of mine and I have
always wanted to be able to support myself through working on security alone
(by collecting rewards through bounty programs, self-employed security
consulting, working at a security consulting firm like Matasano, or some
combination thereof) but I don't know where to start. I want to learn the ins
and outs of web application security instead of just understanding the OWASP
top 10 and having a strong interest in certain topics (like HTTPS/SSL
vulnerabilities). When I read disclosures from people like Egor I grasp the
steps they are taking to craft an exploit like this as they are explained but
I don't know how to identify these exploits on my own.

Can anyone recommend some reading material or some first steps I can take to
work towards moving to a more security-focus career?

Thanks.

~~~
rst
Like a lot of other things, practice matters. OWASP has some deliberately
insecure webapps which are meant to give people practice spotting and
exploiting vulnerabilities (WebGoat, RailsGoat, PyGoat, probably others).
There are also "capture the flag" competitions of the sort run every so often
by Stripe; Matasano currently has one going as well, focused on embedded
systems:

[http://www.matasano.com/matasano-square-microcontroller-
ctf/](http://www.matasano.com/matasano-square-microcontroller-ctf/)

~~~
jensC
Matasanos CTF is hard. At least I think so, but a good start anyway.

------
derengel
I'm the only that thinks that $4000 was very cheap on part of Github? a
security hole like this on the wrong hands would have bring severe
consequences to github, consequences so big that they would probably pay
$1,000,000 USD for it to never happen. So maybe something in the $50-100K
would sound more reasonable. Egor is a great hacker with no business sense? On
the other hand, the publicity his service gets for this its probably worth
more than $50-100K.

~~~
nolok
No you're not alone, considering this was a combination of security holes that
allowed people to get read/write access to others repos, including private.

------
thrush
"Btw it was the same bug I found in VK.com"

Is there an easy way to see what vulnerabilities other websites have had and
fixed, and to check if your site has them as well?

------
akerl_
"P.S.2 Love donating? Help Egor on coinbase or paypal: homakov@gmail.com"

Maybe it's just me, but asking for donations after saying you bill clients at
$400/hr seems weird to me. I wish I could bill at that rate.

~~~
homakov
There's a number of people who would like donate but not interested in
consulting..

There were always people complaining "Add a donate address"

Now "why you added a donate address". Oh, Internet.

~~~
akerl_
At least in my experience, I donate to groups that do good work but aren't
getting paid for it. I wouldn't donate to people who are being paid (quite
handsomely, in this case) for their labor. Especially when he's already
clarified that GitHub paid him more than he thought his time was worth.

~~~
homakov
95% of my security research is not paid. I fix gems, libraries, websites etc.
Donated money go right there, through beers and coffee I need.

~~~
orblivion
Perhaps you could clarify that part in your future posts, to appease the
Internet haters on both sides. "I do paid contract work. However I also spend
lots of time fixing open source stuff for free. If you want to encourage me to
keep doing the latter, here's how to donate."

~~~
akerl_
Agreed. If it had said that, I'd not have been concerned by it in the first
place.

------
ChuckMcM
Grats Egor, once again a great explanation of how these things add up into
vulunerabilities.

------
nightpool
As soon as I saw the new bounty program the first thought through my head was
"Any Github Hacking leaderboard without homakov at tthe top is an inaccurate
one". Congrats on your newest discovery!

------
gabrtv
Impressive display of persistence, stringing together those vulnerabilities. I
also see your English has gotten noticeably better :) Keep up the good work!

~~~
TomaszZielinski
Not suggesting anything, but "your" might be the key here :-)

------
leandrocp
@homakov, have you thought about selling screencasts ?

~~~
homakov
Security screencasts with Russian accent? HA HA.

~~~
petepete
I'm pretty much sold!

~~~
ionwake
me too!

------
nakovet
One thing that I didn't get from the post:

> Oh my, another OAuth anti-pattern! Clients should never reveal actual
> access_token to the user agent.

From what I understood by reading the OAuth RFC is that front-end intensive
applications (a.k.a. public client) should have short lifespan access tokens
(~ 2 hours) and the back-end takes care of reissuing a new access token when
expired.

Can someone clarify on how to make a those calls from a front-end application
without revealing the access token?

~~~
homakov
But gist is not a front end app. Gist has web frontend and Rails backend,
which is supposed to store the token safely.

------
interstitial
Half the comments are about his pay scale, imagine the ruckus if he had been
paid in unwithdrawable bitcoins at mtgox.

~~~
Einstalbert
$400 is such chump change compared to the PR disaster that can come from
exploited, or even just leaked, vulnerabilities. I honestly think any SaaS
needs to have this somewhere in their budget once a year.

------
desireco42
One more comment. Security flaws seem obvious, but getting security right is
hard. It require a lot of testing and effort to get everything right. This kid
Homakov has a talent for finding holes and seems that has his hard on right
place ie. isn't abusing it.

------
ivanca
Really good work @homakov and I suggest you should start a web-security-school
or something of the sort. I'm sure there is money in that field and you would
be able to keep traveling around the world while doing it.

------
desireco42
Why is GitHub so hostile to this kid, just give him a job already! He
obviously has deep understanding of how things work. I would feel better
knowing he work for them.

~~~
bliti
He clearly states in his blog that full time employment is not his current
focus. Prefers to consult.

~~~
desireco42
I am consultant as well, I can be wooed with right offer and if I am
interested in something. He obviously is interested in GitHub. I think they
are still pissed off from last time when he found flaws.

------
aroman
Wow, really clever stuff! Also of note is the $4,000 reward he received from
GitHub's bounty program — their largest to date, according to the email.

------
mtkd
Github should have hired him last time.

~~~
jisaacks
Maybe they offered? Maybe he can make more consulting.

~~~
kirubakaran
I think the parent means "hired as a consultant"

------
Kiro
How do you find all this stuff? Where do you even start?

------
runn1ng
OK. I give up. No matter how much I try, I will never be as cool as @homakov.

~~~
jbeja
That no reason to give up, you are completely forbidden to do that >.<.

------
Tobu
WTF is up with Firefox and Chrome not fixing their /// bug. They're
prioritising neither user security nor standards-compliance.

~~~
homakov
Oh, there are tons of other silly wontfixes. I gave up. They really don't care
about web apps. E.g. instead of /../ i could have used /%2e%2e/!

------
livingparadox
Seeing stuff like this, I want to get into comp-sec. It always sounded
interesting, and it looks like it pays well...

~~~
akerl_
I'd put this in the same category as mobile app dev. There are a few people
making money by the truckload, plenty of people making a decent living, and
lots of folks who strike out.

If it's something you're interested in, go for it. I just worry that people
see this like the promise of gold in a faraway land and go rushing in, not
thinking about the real distribution of success.

~~~
JabavuAdams
Good old power-laws.

------
rip747
every post this guy has about the security holes he has found are impressive
to say the least.

------
Omnipresent
It would be great for educational purposes if a sample app was setup so this
vulnerability could be tried on it. Most of the white hack vulnerabilities are
fixed by the time white hat blog posts come out so there is no way to actually
try them out.

------
bashcoder
Thanks for continuing to make Github safer for all, @homakov. Someday I might
even host a private repo there again, but I haven't done that since your first
mass assignment exploit. You continue to prove that my decision was a good
one.

------
peterwwillis
This would be a great case study if expanded on and edited. Igor should write
a book!

------
yarou
Very cool write-up of non-critical bugs that can be used together to inflict
some serious damage. Great work @homakov!

------
afarra
Does anyone know of a website or central resource that documents all these
vulnerabilities to look out for?

~~~
syshax
Start here:

[https://www.owasp.org/index.php/Top_10_2013-Top_10](https://www.owasp.org/index.php/Top_10_2013-Top_10)

------
outside1234
why hasn't GitHub hired this guy?

------
intortus
Shame on github for making these mistakes in the first place, but kudos to
them for doing such a great job of engaging the white hats.

~~~
homakov
It's hard to shame github for those bugs. All of them are low-sev separately,
only together they make sense.

~~~
shill
Nice work Egor. I hope to see a GitHub client testimonial on sakurity.com
sometime soon.

------
ng6tf7t87tyf
Ruby Brogrammer Security Fail yet again.

Friends don't let friends code in Fails frameworks.

~~~
akerl_
Can you clarify how this issue was specific to their choice of framework?

------
pgs_pants
Firstly, well done. It is good to see well done security eval.

But github, seriously? Why do you guys fail so hard at security?

Too much Brogrammer rather than programmer methinks.

~~~
korzun
Ironically, you sound like a brogrammer.

