Hacker News new | past | comments | ask | show | jobs | submit login
How I hacked Github again (homakov.blogspot.com)
911 points by zhuzhuor on Feb 7, 2014 | hide | past | web | favorite | 190 comments

If @homakov is finding security holes without access to Github repositories, imagine what he'd find if you had him code audit for a few days... He's clearly been going about this the proper white-hat way and ensuring holes are patched before open disclosure... what's there to lose?

On the flip side, you could go about doing what you're doing under the presumption nobody is maliciously targeting your user base. In this scenario, it's possible you have a couple bad actors that see a net benefit greater than your bug bounties and are silently stealing and selling supposedly secure code from your users. You could be supporting a hacker black market where they sell and trade codebases to popular online sites. Imagine how easy it would be for them to find vulnerabilities in these sites if given access to the source code.

That, my friends, would be a catastrophe.

I don't get why Github just hasn't hired the guy already.

In his earlier work at least, he's seemed like a loose cannon.

I don't think that is a fair assessment of him, even then.

At any case, I hired him fairly recently for a security audit and he worked quickly, and was very effective (he found several important vulnerabilities and reported them in a crystal clear manner). He was also a pleasure to deal with (no bullshit stance, something I find enjoyable).

The 4000 USD for ~20 hours of work were definitely well spent!

The parent was asking why Github haven't hired him, not why nobody has hired him. If you remember, Github actually banned him for hacking the Rails account in his pentesting.

There was 2 or 3 cases I regret about. The rest of my work is alright and responsible, no?

Yeah, the first Github and Rails exploit is the one that still sticks out in my mind. That kind of thing can be hard to shake, but it helps that you were quite young at the time. I'm happy to see you've matured a lot since then.

He was also very young then I believe, now he's realised he can make a lot of money by acting cool and professional so he does.

And that could be why he might now be considered, but why he wasn't before.

I think his behaviour was commendable - he tried many many times to warn, going to multiple people and projects, but they all ignored him - they were too busy being Gem installing Ruby hipster Brogrammers to consider security, and it bit them hard in the backside.

I'm incredibly interested in angling my career towards security and have no real experience.

Wouldn't it also be wise to keep people like him 'out of the loop', I imagine it's much harder to audit when they have access to internal code/architecture that would be difficult for an outsider to stumble-upon?

he gets paid $400/hr doing consulting for YC Companies and other startups and companies, he is from Russia, and now lives in Bangkok, when he becomes rich he wants to live in Hong Kong, pretty nice for a 20 year old, I don't see any glaring reasons to work for Github http://egorhomakov.com/

$400/hr is meaningless if comes from an one-off gig.

That's about $13000 THB / hour. Considering that it isn't uncommon for junior programmers in Bangkok to make (and live on) 20-30K / MONTH....

400 USD/hour is a great rate anywhere in the world, even the most expensive cities.

But abcd_f's comment is right about one-off 4-hour projects vs. long-term contracting. Non-billable time overhead spent on finding clients, negotiating contracts, mentally switching projects, or just sitting idle can negate the benefits of a high hourly rate.

He's mentioned before that he's not into full-time work:


Completely agree, GitHub private repos are a huge target. Even if you use 2FA, after login it's just a cookie that separates the good from the bad. How could GH improve that? Client-side SSL Certs?

If you're talking about for company projects, the enterprise version of Github is self-hosted (e.g. on a VPN): https://enterprise.github.com/

People shouldn't trust the cloud for important source storage. Always self-host anything you want to keep private.

I'm pretty sure many more codebases have been lost through failures to secure internal networks by corporate IT departments than through vulnerabilities in cloud hosting providers.

I agree. I was speaking more about security than we blew up our own code repository. Everyone has the ability to light their own house on fire.

I think he is referring to many people failing to secure their networks and having code stolen. It can be just as insecure, if not worse than a cloud provider if done wrong.

'People' shouldn't 'trust' anything.


Important storage can be done 'in the cloud', but you need to audit and verify the cloud vendor is providing the proper controls. Just like you need to do 'privately'.

For code projects that are between me and a couple of other devs, none of whom are infrastructure security experts, I trust a company like Github a lot more than one of us trying to hack something together on a server.

With the exception that if you have three guys hacking something together a dedicated server or a box off your cable modem, with git tunneled over ssh using keys and a proper firewall, you'd probably be miles ahead. That might take you an afternoon to set up with almost no experience.

Not to say that it couldn't be compromised, but your not a target like github might be. If you're working with an enterprise level project with more complex auth and access methods, more users, performance and scaling needs, you'd need a real security implementation.

There's plenty of companies/enterprises that use regular Github private repositories though.

Guys, why are you still hanging out on Github? There are so much better on-premise solutions like RhodeCode (https://rhodecode.com) or Gitbucket (https://github.com/takezoe/gitbucket) existing. And they are even free.

But hiring him offers no guarantee that he will be able to find any other bugs.

That's the beauty of bounties, it allows people to decide whether they want to do the right thing or not, if there was no bug bounty more people are just tempted to exploit the bug.

Github uses ruby on rails, which is a pretty mature framework, perhaps covering most of the common security pitfalls. Additionally, I assume github has excellent programmers because of the nature of their job.

Could someone explain in simple english, how did they overlook known & well documented bugs that got them hacked (e.g. Bug 3 about cross domain injection). I'm wondering if someone of Github's caliber can be hacked so easily, what about the rest of the masses developing web apps. Especially all those new crypto-currency exchanges popping up left & right.

I've been toying with Django. Reading through the docs makes me feel that as long as I follow the safety guidelines, my app should be safe. It feels as if they've got you covered. But this post rattles my confidence.

As briefly as possible? Infosec is hard. Most companies have virtually no security policies. Nobody listens. Black hats are ahead in the arms race and anyone who has decent knowledge (doesn't even have to be anywhere near on a level like Homakov or Zalewski) can pull off all sorts of exploits. Even if they don't strike the application itself, they'll get you through infrastructure that your application relies on. Look at how script kiddies like the SEA can pull off high-profile hacks through social engineering, domain and DNS hijacking.

It's assured that a ton of Rails apps are vulnerable, it's just that no one has found them, or more likely, is not publicly releasing or actively exploiting them.

Also, Rails doesn't address for all security pitfalls. Some of its mechanisms are actually underdeveloped and require rolling lots of checks by yourself, such as for proper session termination, IIRC.

> Infosec is hard.

In computer security, you have to get it right every single time. The bad guys only need to get it right once.

This highlights to me that our infrastructure is horrendously overcomplicated. We have all these great abstractions, but you have to worry about bugs and exploits in every possible layer of every system. Even the simplest modern web-application has an enormous surface-area to secure, and that makes getting it "right every single time" damned near impossible.

This is a little myopic but understandable in the context of a discussion on HN. Infosec is hard, but it is just one example of a bigger truth:

Defense is hard.

This comes up time and time again in any defensive discipline:

  Over two decades the  CIA had learned again and again that it  could not hope to
  defend against  terrorists by relying solely  on its ability to  detect specific
  attacks in  advance. No matter how many  warnings they picked up,  no matter how
  many  terrorist cells  they disrupted,  at least  some attackers  were going  to
  get  through. Officers  in  the  CTC privately  compared  themselves  to  soccer
  goalies: They wanted to  be the best in  their league, they wanted  to record as
  many shutouts as  possible, but they knew  they were going to give  up scores to
  their  opponents. Ultimately, many  of them  believed,  the only  way to  defeat
  terrorists was to get out of the net and try to take the enemy off the field.[1]

The final sentence above highlights the one pecularity of InfoSec; you do not have any offensive capabilities.

[1]: "Ghost Wars" (Steve Coll) pg 505

This is why I think some more work into client (or active) honeypots may be beneficial. If we can get an easy to install, auto updating honeypot that fights back, we may have a better offensive capability.

This may just end, like nuclear warfare, in MAD... But it would be great fun to watch!




No one gets it right every single time. No one. That's a completely unrealistic expectation. What you do is establish a bar, which you share with everyone who will use your software. Then you evaluate your efforts against that bar.

One of the keys to developing good software is hiring third-parties to conduct audits. A bug bounty program is one way to incentivize people who are already probing your software to take the next step and tell you about the bugs they find.

What opinions does infosec in general have of correctness? What about languages like Haskell which focus on separating IO and pure functions?

well it gives the advantage that (used to?) keep desktop-Linux clear of most viruses: it's too little a fish for blackhats to go after.

until that's different it's harder to answer your actual question. my guess, it'll be better but inevitably still have some holes.

I specifically what infosec (or anyone involved in the industry) thought of separating pure and impure functions which affect the outside world.

It seems to me that it would drastically reduce the surface areas of attack.

Good to know, thanks. Any recommendation for a good read on security best practices for a python/django app?

If you aren't yet familiar with OWASP, start there. https://www.owasp.org/index.php/Main_Page

Here is some OWASP material specific to Django.

If you like reading http://blog.mikeleone.com/2011/10/security-django-and-owasp-...

If you like watching http://www.youtube.com/watch?feature=player_embedded&v=sra9x...

///host.com bug is not well documented. It's "0day" for most of websites.

Got it! Just worried about the rest of us folks who can't pay you $400/hr :)

Cheers !

Read every single post on his blog.

How did you find out about it?

It's worth mentioning that Github has forked Rails and is working off their own private branch of Rails 2.3. Not saying that was relevant to this exploit, mind you.



It is relevant to this:

> I . . . decoded _gist_session cookie (which is regular Rails Base64 encoded cookie)

In Rails 4 the session cookie is encrypted with a server-side secret, so the end user can't decipher it.

Gist is indeed running Rails 4.

Isn't gist an entirely separate application from dotcom? My impression was gist is a Sinatra app, not Rails.

I'm wondering if someone of Github's caliber can be hacked so easily, what about the rest of the masses developing web apps.

They're all pretty bad. SQL injection was a boondoggle for years until people wised up, or more likely moved to the then-newly-popular ORMs, but it still got Bell Canada recently. Target is #36 on the Fortune 500. That wasn't a webapp based attack, but even companies of their considerable resources still get security that wrong. Sure, you can tell yourself a startup is more tech focused and better positioned to get security right. But do devops building for server stacks and platforms they don't fully understand while pushing code multiple times a day really have both the skills and time to focus on security?

I'm wondering if someone of Github's caliber can be hacked so easily, what about the rest of the masses developing web apps.

What do you think makes Github that much better than all the rest?

It's a dream job for developers, in some ways a lot more so than the big boys like Google and Facebook. They have a hiring pipeline any tech company would kill for. They probably don't have the deep security talent that say Google or Microsoft have, but they should have enough.

It's a dream job for developers

Really? I'm not so sure, AFAICT Github doesn't have any new or interesting problems to deal with. It's just a Rails app that's constantly developed on. You can do that, well, anywhere.

Their employees do some really interesting things. ReactiveCocoa is incredible. Seems like a great place to work to me (I'd love to get a job there!)

Having met several of them and spent a day in their offices (they gave Kiva engineering a tour day a couple years back), I can say they have an awesome company culture and space and great leadership and great brand recognition. Plus, people generally like them. I'd put it near the top of my list if I had one.

Working in ruby using git? Sounds horrible to me :)

> $4000 reward is OK.

$4000 !? Wow, I'd love to be able to make $4000 on the side just doing what I love.

> Interestingly, it would be even cheaper for them to buy like 4-5 hours of my consulting services at $400/hr = $1600.

This sounds like a pretty clever strategy for marketing yourself as an effective security consultant.

EDIT: $4000!? wow. so money. such big.

Repeatedly and publicly demonstrating how good you are is probably a good way to market yourself in any field.

I will certainly have to try it. Although by doing this with programming, it's probably not as easy to get to the top of HN.

I'm pretty sure Egor's first language isn't English, so OK might mean 'meh it's alright' through to 'hey this is great'. I know a few non-native speakers who do similar things.

OK means it's OK but could be better :P

Straight from the source, thanks Egor. Great blog post as well, your explanations are really easy to follow for a non-security researcher.

I agree... How much could you have sold that exploit for on the black market?


According to his website, the minimum time you can buy services for is 8 hours so I'm not sure what he means here.

8 hours at 400$/hour will still only be 3200$ and he can presumably spend the remaining 4-3 hours doing more security analysis with less overhead, so it might still be cheaper to hire him as a consultant.

Exactly. + if github would really ask me for consulting I'd consider working for free, just for a testimonial.

I have a question for you! Roughly how many hours do you think you've spent looking for bugs on github before you found these stream of exploits?

0. I spent less than an hour last year because there was no proper motivation.

Ah. How did you get the motivation now? How long did it take to find these bugs?

They launched bounty, this was the motivation to check things i always wanted to check. It took me about 4-5 hours, most of that time I was watching TV shows.

Awesome, thanks.

almost $1000/hour for watching TV shows.. nice job)

Read the post. They started offering money.

But they'd have to pay those $3200 without knowing if there were results. They might have to pay dozens of such consultants before one of them found bugs like this. Bug bounties, paid only on successful discoveries, are much cheaper.

But also much riskier. What if it transpires that the $4000 isn't enough? We know roughly what they're paying now, so when people find an issue like this they know they could sell it for much more.

Of course, there's probably also a large chance that he finds nothing in those 8 hours

"nothing" never happened IRL. I either work extra for free trying to find more, and punch myself until I find something.

Really great attitude.

I would make this your tagline in some way -

"I will find vulnerabilities. If I don't, I will become a vulnerability to my own body and attack myself until I do!"

Did we really just make an "In Soviet Russia" joke? That was appropriate? Man, I love this place.

Alright, I had to look this up. Here's some info on these types of jokes.

http://en.wikipedia.org/wiki/Yakov_Smirnoff - referred to as a Russian Reversal

Ok, learned something completely wasn't aware of before.

But, no, no intent to make that kind of joke.

Not getting you. And no not my intent. What he said was funny and I found it funny. Nothing to do with Russia at all.

There are always n+1 bugs. I presume the same could be said for security holes- especially considering they are sometimes the result of bugs.

True, there are always bugs and security issues, but security issues tend to ramp even quicker than general bugs up from trivial to find to very, very difficult to find, so finding bug n+1 may be substantially harder than finding bug n.

Given a reasonably competent development team, you can usually make a first pass and find quite a number of low-hanging fruit security issues. Everyone makes mistakes, especially when under pressure to get a product out. Once those are gone you can use fuzzing and/or static analysis type techniques to find another set, but after that you get to the point where the bugs start getting quite obscure and require a fairly deep knowledge of how the system works so you can start stringing multiple problems together to get to a real security issue.

Of course this can be offset somewhat by the fact that software is usually a moving target, so if you're security testing a live, active codebase the developers are likely introducing new issues all the time, though hopefully at a reduced rate as they learn from their previous errors.

For some context, checkout homakov's compilation of white-hat "hustlers" and the bounties they've received:


Perhaps that was not the tone intended. Or perhaps relative to the damage he'd be capable of causing $4000 is small.

@homakov finds 5 different bugs with github and manages to align them so that a bigger vulnerability is exposed in under 5 hours? That's amazing! I used to think I'm a fast delivery-focused developer but I'm probably just a fraction of how fast some people are.

He's not counting all the time he's spent carefully reading the oauth spec and playing with different options ;).

Or the time he spent learning to get to the level of expertise he has. Maybe that is why his hourly rate is somewhat more than mine.

This guy is like a good security QA guy on steroids.

How can I start learning about how to identify exploits like this? I know some basics about web application security and work as a software engineer on a day-to-day basis but security has always been a passion of mine and I have always wanted to be able to support myself through working on security alone (by collecting rewards through bounty programs, self-employed security consulting, working at a security consulting firm like Matasano, or some combination thereof) but I don't know where to start. I want to learn the ins and outs of web application security instead of just understanding the OWASP top 10 and having a strong interest in certain topics (like HTTPS/SSL vulnerabilities). When I read disclosures from people like Egor I grasp the steps they are taking to craft an exploit like this as they are explained but I don't know how to identify these exploits on my own.

Can anyone recommend some reading material or some first steps I can take to work towards moving to a more security-focus career?


Like a lot of other things, practice matters. OWASP has some deliberately insecure webapps which are meant to give people practice spotting and exploiting vulnerabilities (WebGoat, RailsGoat, PyGoat, probably others). There are also "capture the flag" competitions of the sort run every so often by Stripe; Matasano currently has one going as well, focused on embedded systems:


Matasanos CTF is hard. At least I think so, but a good start anyway.

I'm the only that thinks that $4000 was very cheap on part of Github? a security hole like this on the wrong hands would have bring severe consequences to github, consequences so big that they would probably pay $1,000,000 USD for it to never happen. So maybe something in the $50-100K would sound more reasonable. Egor is a great hacker with no business sense? On the other hand, the publicity his service gets for this its probably worth more than $50-100K.

No you're not alone, considering this was a combination of security holes that allowed people to get read/write access to others repos, including private.

I'm really glad Github paid him, but reading what the exploit can do I really think he deserves more, sure they were a series of small exploits, but all together... they are pretty damaging in the wrong hands.

"Btw it was the same bug I found in VK.com"

Is there an easy way to see what vulnerabilities other websites have had and fixed, and to check if your site has them as well?

"P.S.2 Love donating? Help Egor on coinbase or paypal: homakov@gmail.com"

Maybe it's just me, but asking for donations after saying you bill clients at $400/hr seems weird to me. I wish I could bill at that rate.

There's a number of people who would like donate but not interested in consulting..

There were always people complaining "Add a donate address"

Now "why you added a donate address". Oh, Internet.

Is there a way to guarantee you will spend donations on alcohol and not waste them on things like rent or food?

Send him an e-mail saying, "Hey, I sent you $100. I would deeply appreciate it if you spent it on your beverage of choice, or a nice dinner with a friend, rather than on necessities."

It's no guarantee, of course. :)

yes. donate to someone who makes $400/hour.

Charging $400/hour does not mean he does not need extra money. His nature of business is a short term projects, it's not like a regular web developer who has to work 40 hours a week for many month to finish a project, he only does audits which don't last long because of that you see this "high" (I personally don't think it's high) hourly rate.

It's actually a good strategy to price high hourly but over-deliver (doing lots of free work behind the scenes, or speculative unpaid work, etc.) -- rather than the market-clearing rate of ~100-150/hr, at least when you're trying to build a brand. At $400, he's clearly a specialist, and will get more interesting work; at $100/hr, you could hire him and just treat him like another developer, have him do cookie-cutter assessments, etc.

Personally, I think he'd make more money at $400-600/hr if he could also get some kind of manager to handle the interactions with clients; it doesn't seem to be what he enjoys, or is particularly good at.

(I've had drinks with him before, so probably the most effective way to accomplish my goal is to buy him drinks when I'm in town.)

Personally, I think he'd make more money at $400-600/hr if he could also get some kind of manager to handle the interactions with clients; it doesn't seem to be what he enjoys, or is particularly good at.

Completely agree. I'm not doing security, but my hourly is similar, and it was a game changer for me to have someone in a manager-like role working with me. Client relations are a huge time suck, but are also absolutely necessary. If he can find someone (or maybe someone on HN should volunteer), it'd be more than worth it.

BTW My manager takes a flat 15%. I'm much happier, clients are way happier, and my total income has increased as a result—not to mention another person is gainfully employed at something they're good at and enjoy. A win-win all the way around.

It seems your manager is more an agent than a manager.

I meant manager in the sense of a band's manager. It's more than just introducing you to deals; it's handling the communications back and forth with the client on an ongoing basis; not merely the negotiation to set up the deal but the actual work-product communications as well.

Yup, that's exactly what I meant too.

At least in my experience, I donate to groups that do good work but aren't getting paid for it. I wouldn't donate to people who are being paid (quite handsomely, in this case) for their labor. Especially when he's already clarified that GitHub paid him more than he thought his time was worth.

95% of my security research is not paid. I fix gems, libraries, websites etc. Donated money go right there, through beers and coffee I need.

Perhaps you could clarify that part in your future posts, to appease the Internet haters on both sides. "I do paid contract work. However I also spend lots of time fixing open source stuff for free. If you want to encourage me to keep doing the latter, here's how to donate."

Agreed. If it had said that, I'd not have been concerned by it in the first place.

This makes sense then for sure.

You are giving people that you have helped an opportunity to pay you without having any kind of contract with them.

Nothing wrong with that at all.

Donate or don't donate, that's your call. But why are you complaining about him asking for a donation? Why try to "shame" him? What is he doing to harm you?

Start-up idea: let Hacker News users pay to berate you for x minutes.

There's a clearly huge market.

plus.inyourfacetwit.com, where you have 140 chars to berate anyone, and a whaling-wall for when you really need to get it off your chest.

Ad supported. Abusive ads berating potential users are encouraged.

20 hours later, domain still not registered...

Get on that before someone filches it!

Although you'll have some competition:


Not sure why you're viewing my comment with such hostility. I was mistakenly under the impression that most of his work is contracted / bounty. He's already clarified his reason for accepting donations below, and I understand. I just think the placement/wording was less than ideal.

Raganwald! Downvote or don't downvote! Why are you trying to shame akeri_!?

Point, set and match.

Luckily, he is not forcing you to donate, so you can choose not to. :)

He also commented on his site that he "is poor", so it could be that he simply hasn't landed enough gigs @ $400/hr to be in good financial shape yet.

He's also providing this blog post. Something he doesn't have to do and has taught me something as I try to improve myself.

I doubt Egor is being paid for posting these summaries to his own blog for all of us to see. Even if he weren't contributing code to various libraries and applications, these write-ups are a great benefit to everyone else who has yet to be a target.

Some people actively try to think of money as a proxy for appreciation ;)

If you think $400/hr is great, you should see the rate for black-hatting :P

Although you probably should factor in the possibility of several years of compulsory $0.30/hr labour, plus forfeiture of all your ill-gotten gains (and probably some healthily-gotten ones too, they're not so fussy)

And that's before legal costs and possible restitution.


Not a concern if you live in Russia or Eastern Europe.

...unless you like to travel.

Sure, I had a similar first reaction, but thought about it. If you have skills but haven't yet developed a deep-enough client base, you're in a quandary. You can't bill for $10/hour, or no one will take you seriously. You need perceived value, so you have to quote some reasonably high rate, even if you case-by-case discount it or work gratis.

(At least that's how I imagine it must work. I've never consulted.)

Not everyone's time is equal. If you're finding security holes like Egor then an hour of your time is absolutely worth $400/hr.

I totally believe that he's worth that amount of money. I'm sorry if you thought I was questioning that. I'm questioning the juxtaposition of his hourly rate with a request for donations.

I think the contract makes sense for clients, and the donation makes sense for other security researchers who want an incentive for him to keep publishing ideas.

Understood. But I imagine that his work isn't quite as "steady" as one might expect. He invests time by trying to find security exploits in hopes that the affected company compensates him. He doesn't set his price or even determine if he gets paid for his time.

I think that might be the rationale...or it might just be that he's found himself in a position where he can collect bounties AND donations :).

Yea this is derp.

Grats Egor, once again a great explanation of how these things add up into vulunerabilities.

As soon as I saw the new bounty program the first thought through my head was "Any Github Hacking leaderboard without homakov at tthe top is an inaccurate one". Congrats on your newest discovery!

Impressive display of persistence, stringing together those vulnerabilities. I also see your English has gotten noticeably better :) Keep up the good work!

Not suggesting anything, but "your" might be the key here :-)

@homakov, have you thought about selling screencasts ?

Security screencasts with Russian accent? HA HA.

Especially with a Russian accent. Gives it a very "if you don't do like I say, other Russians will come and steal your shit" aura.

I'm pretty much sold!

me too!

Sure, why not? Notch does coding casts. And WhiteRa (SC2) makes some great casts, even (especially?) with his strong accent!

WhiteRa on HN! You made my day : )

Just a quote while we're at it..

>> We make expand and then defense it.

I think it would add to the video. :)

One thing that I didn't get from the post:

> Oh my, another OAuth anti-pattern! Clients should never reveal actual access_token to the user agent.

From what I understood by reading the OAuth RFC is that front-end intensive applications (a.k.a. public client) should have short lifespan access tokens (~ 2 hours) and the back-end takes care of reissuing a new access token when expired.

Can someone clarify on how to make a those calls from a front-end application without revealing the access token?

But gist is not a front end app. Gist has web frontend and Rails backend, which is supposed to store the token safely.

Half the comments are about his pay scale, imagine the ruckus if he had been paid in unwithdrawable bitcoins at mtgox.

$400 is such chump change compared to the PR disaster that can come from exploited, or even just leaked, vulnerabilities. I honestly think any SaaS needs to have this somewhere in their budget once a year.

One more comment. Security flaws seem obvious, but getting security right is hard. It require a lot of testing and effort to get everything right. This kid Homakov has a talent for finding holes and seems that has his hard on right place ie. isn't abusing it.

Really good work @homakov and I suggest you should start a web-security-school or something of the sort. I'm sure there is money in that field and you would be able to keep traveling around the world while doing it.

Why is GitHub so hostile to this kid, just give him a job already! He obviously has deep understanding of how things work. I would feel better knowing he work for them.

Huh? Did you read the letter from github? It closes out: "Thanks again for your awesome work."


He clearly states in his blog that full time employment is not his current focus. Prefers to consult.

I am consultant as well, I can be wooed with right offer and if I am interested in something. He obviously is interested in GitHub. I think they are still pissed off from last time when he found flaws.

Wow, really clever stuff! Also of note is the $4,000 reward he received from GitHub's bounty program — their largest to date, according to the email.

Github should have hired him last time.

Maybe they offered? Maybe he can make more consulting.

I think the parent means "hired as a consultant"

How do you find all this stuff? Where do you even start?

OK. I give up. No matter how much I try, I will never be as cool as @homakov.

That no reason to give up, you are completely forbidden to do that >.<.

WTF is up with Firefox and Chrome not fixing their /// bug. They're prioritising neither user security nor standards-compliance.

Oh, there are tons of other silly wontfixes. I gave up. They really don't care about web apps. E.g. instead of /../ i could have used /%2e%2e/!

Seeing stuff like this, I want to get into comp-sec. It always sounded interesting, and it looks like it pays well...

I'd put this in the same category as mobile app dev. There are a few people making money by the truckload, plenty of people making a decent living, and lots of folks who strike out.

If it's something you're interested in, go for it. I just worry that people see this like the promise of gold in a faraway land and go rushing in, not thinking about the real distribution of success.

Good old power-laws.

It pays well if you are the guy that has hacked GitHub twice.

Remember that you only see the interesting stories and successful investigations. Before making such a decision you should try to arrange a chat with someone already doing comp-sec, and figure out how much time they spend on all the other stuff.

Anyone know some good beginner reading material for someone interested in learning this kinda stuff?

I recommend grabbing a copy of Web Application Hackers Handbook[0] and try hacking vulnerable vm's[1].

I see that your a sysadmin so if network hacking is more you speed I would download Metasploit[2] and start hacking old linux or windows distros.

[0]http://www.amazon.com/The-Web-Application-Hackers-Handbook/d... [1]http://itsecgames.blogspot.com/2013/07/bee-box-hack-and-defa... [2] http://www.metasploit.com/

every post this guy has about the security holes he has found are impressive to say the least.

It would be great for educational purposes if a sample app was setup so this vulnerability could be tried on it. Most of the white hack vulnerabilities are fixed by the time white hat blog posts come out so there is no way to actually try them out.

Thanks for continuing to make Github safer for all, @homakov. Someday I might even host a private repo there again, but I haven't done that since your first mass assignment exploit. You continue to prove that my decision was a good one.

This would be a great case study if expanded on and edited. Igor should write a book!

Very cool write-up of non-critical bugs that can be used together to inflict some serious damage. Great work @homakov!

Does anyone know of a website or central resource that documents all these vulnerabilities to look out for?

why hasn't GitHub hired this guy?

Shame on github for making these mistakes in the first place, but kudos to them for doing such a great job of engaging the white hats.

It's hard to shame github for those bugs. All of them are low-sev separately, only together they make sense.

Nice work Egor. I hope to see a GitHub client testimonial on sakurity.com sometime soon.

If we're shaming any code with security flaws, no one is free of shame. I'm excited by the bounty program, it's a great way to get things like this identified and responsibly disclosed

I agree that flaws will always exist, but I don't understand why it's ever worth it to not be absolutely strict about matching redirect_uri in OAuth.

Sorry, but this is a terrible approach to thinking about progressive and open security practices...

Ruby Brogrammer Security Fail yet again.

Friends don't let friends code in Fails frameworks.

Can you clarify how this issue was specific to their choice of framework?

'comrade1' you have been hell banned since almost one year ago so (almost) no-one can read your posts.

Firstly, well done. It is good to see well done security eval.

But github, seriously? Why do you guys fail so hard at security?

Too much Brogrammer rather than programmer methinks.

Ironically, you sound like a brogrammer.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact