If @homakov is finding security holes without access to Github repositories, imagine what he'd find if you had him code audit for a few days... He's clearly been going about this the proper white-hat way and ensuring holes are patched before open disclosure... what's there to lose?<p>On the flip side, you could go about doing what you're doing under the presumption nobody is maliciously targeting your user base. In this scenario, it's possible you have a couple bad actors that see a net benefit greater than your bug bounties and are silently stealing and selling supposedly secure code from your users. You could be supporting a hacker black market where they sell and trade codebases to popular online sites. Imagine how easy it would be for them to find vulnerabilities in these sites if given access to the source code.<p>That, my friends, would be a catastrophe.
Github uses ruby on rails, which is a pretty mature framework, perhaps covering most of the common security pitfalls. Additionally, I assume github has excellent programmers because of the nature of their job.<p>Could someone explain in simple english, how did they overlook known & well documented bugs that got them hacked (e.g. Bug 3 about cross domain injection). I'm wondering if someone of Github's caliber can be hacked so easily, what about the rest of the masses developing web apps. Especially all those new crypto-currency exchanges popping up left & right.<p>I've been toying with Django. Reading through the docs makes me feel that as long as I follow the safety guidelines, my app should be safe. It feels as if they've got you covered. But this post rattles my confidence.
> <i>$4000 reward is OK.</i><p>$4000 !? Wow, I'd love to be able to make $4000 on the side just doing what I love.<p>> <i>Interestingly, it would be even cheaper for them to buy like 4-5 hours of my consulting services at $400/hr = $1600.</i><p>This sounds like a pretty clever strategy for marketing yourself as an effective security consultant.<p>EDIT: $4000!? wow. so money. such big.
@homakov finds 5 different bugs with github and manages to align them so that a bigger vulnerability is exposed in <i>under 5 hours</i>? That's amazing! I used to think I'm a fast delivery-focused developer but I'm probably just a fraction of how fast some people are.
How can I start learning about how to identify exploits like this? I know some basics about web application security and work as a software engineer on a day-to-day basis but security has always been a passion of mine and I have always wanted to be able to support myself through working on security alone (by collecting rewards through bounty programs, self-employed security consulting, working at a security consulting firm like Matasano, or some combination thereof) but I don't know where to start. I want to learn the ins and outs of web application security instead of just understanding the OWASP top 10 and having a strong interest in certain topics (like HTTPS/SSL vulnerabilities). When I read disclosures from people like Egor I grasp the steps they are taking to craft an exploit like this as they are explained but I don't know how to identify these exploits on my own.<p>Can anyone recommend some reading material or some first steps I can take to work towards moving to a more security-focus career?<p>Thanks.
I'm the only that thinks that $4000 was very cheap on part of Github? a security hole like this on the wrong hands would have bring severe consequences to github, consequences so big that they would probably pay $1,000,000 USD for it to never happen. So maybe something in the $50-100K would sound more reasonable. Egor is a great hacker with no business sense? On the other hand, the publicity his service gets for this its probably worth more than $50-100K.
"Btw it was the same bug I found in VK.com"<p>Is there an easy way to see what vulnerabilities other websites have had and fixed, and to check if your site has them as well?
"P.S.2 Love donating? Help Egor on coinbase or paypal: homakov@gmail.com"<p>Maybe it's just me, but asking for donations after saying you bill clients at $400/hr seems weird to me. I wish I could bill at that rate.
As soon as I saw the new bounty program the first thought through my head was "Any Github Hacking leaderboard without homakov at tthe top is an inaccurate one". Congrats on your newest discovery!
Impressive display of persistence, stringing together those vulnerabilities. I also see your English has gotten noticeably better :) Keep up the good work!
One thing that I didn't get from the post:<p>> Oh my, another OAuth anti-pattern! Clients should never reveal actual access_token to the user agent.<p>From what I understood by reading the OAuth RFC is that front-end intensive applications (a.k.a. public client) should have short lifespan access tokens (~ 2 hours) and the back-end takes care of reissuing a new access token when expired.<p>Can someone clarify on how to make a those calls from a front-end application without revealing the access token?
One more comment. Security flaws seem obvious, but getting security right is hard. It require a lot of testing and effort to get everything right. This kid Homakov has a talent for finding holes and seems that has his hard on right place ie. isn't abusing it.
Really good work @homakov and I suggest you should start a web-security-school or something of the sort. I'm sure there is money in that field and you would be able to keep traveling around the world while doing it.
Why is GitHub so hostile to this kid, just give him a job already! He obviously has deep understanding of how things work. I would feel better knowing he work for them.
Wow, really clever stuff! Also of note is the $4,000 reward he received from GitHub's bounty program — their largest to date, according to the email.
It would be great for educational purposes if a sample app was setup so this vulnerability could be tried on it. Most of the white hack vulnerabilities are fixed by the time white hat blog posts come out so there is no way to actually try them out.
Thanks for continuing to make Github safer for all, @homakov. Someday I might even host a private repo there again, but I haven't done that since your first mass assignment exploit. You continue to prove that my decision was a good one.
Firstly, well done. It is good to see well done security eval.<p>But github, seriously? Why do you guys fail so hard at security?<p>Too much Brogrammer rather than programmer methinks.