Play AppSec WarGames
Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.
GitHub Account Takeover
In March 2012, GitHub faced a significant security incident involving a mass-assignment vulnerability. This vulnerability arose due to insufficient validation of incoming form parameters, enabling unauthorized administrative privileges to the exploiter. As a result, three accounts were compromised, allowing changes to be committed directly into the Ruby on Rails project’s repository.
GitHub temporarily suspended the account of the exploiter due to the breach of their terms, but subsequently reinstated it after confirming no malicious intent. This incident sparked widespread alarm in the development community, prompting GitHub to perform a comprehensive audit of their codebase to identify and rectify similar vulnerabilities.
The incident underscored the broader implications of security weaknesses in widely used platforms like GitHub, highlighting risks extending beyond the immediate community. It also led GitHub to clarify procedures for responsible vulnerability disclosure, enhancing future security communication and practices.
Coder Chris Acky wrote that even developers not using GitHub should be worried:
“When the large portion of the technical world all depends on a single service, and that service is vulnerable to a variety of attacks, that makes anyone who consumes these services also vulnerable,” Acky said.
We made a challenge replicating this incident:
CodeHub.py
Also available in:
Read more about the incident: GitHub suspends member over ‘mass-assignment’ hack | ZDNET
