mailing list archives
Ruby on Rails github compromise
From: Kurt Seifried <kseifried () redhat com>
Date: Sun, 04 Mar 2012 22:39:54 -0700
Public Key Security Vulnerability and Mitigation
mojombo March 4, 2012
At 8:49am Pacific Time this morning a GitHub user exploited a
security vulnerability in the public key update form in order to add his
public key to the rails organization. He was then able to push a new
file to the project as a demonstration of this vulnerability.
As soon as we detected the attack we expunged the unauthorized key
and suspended the user.
At 9:53am Pacific Time this morning we rolled out a fix to the
vulnerability and started an investigation into the impact of the
attack. Database and log analysis have shown that the user compromised
three accounts (rails and two others that appear to have been proofs of
concept). All affected parties have been or will be contacted once we
are certain of the findings.
The root cause of the vulnerability was a failure to properly check
incoming form parameters, a problem known as the mass-assignment
vulnerability. In parallel to the attack investigation we initiated a
full audit of the GitHub codebase to ensure that no other instances of
this vulnerability were present. This audit is still ongoing, and I am
going to personally ensure that we have a strategy going forward to
prevent this type of vulnerability from happening again.
I sincerely apologize for allowing this to happen. Security is our
priority and I will be arranging additional external security audits
above and beyond our normal schedule to further test our security
measures and give you peace of mind.
Mass assignment in Rails applications:
Homakov (exploited this issue on Github:
"wow how come I commit in master? O_o "
Proposal for Improving Mass Assignment:
Responsible Disclosure Policy:
Whitelist all attribute assignment by default.:
What's New in Edge: Scoped Mass Assignment in Rails 3.1:
I think this potentially warrants a CVE, thoughts/comments?
Kurt Seifried Red Hat Security Response Team (SRT)
- Ruby on Rails github compromise Kurt Seifried (Mar 05)