Hacker News new | ask | show | jobs
by tmcdonald 5216 days ago
I'm not sure all the things you list as being possible are true.

  - Every GitHub Repository could be access by anyone as if they had full administrator privileges.
  - This means that anyone could commit to master. 
  - This means that anyone could reopen and close issues in issue tracker. 
  - Even the *entire* history of a project could be wiped out. Gone forever.
As I understand it from his explanation[1] he added his public key to the Rails user, which has permissions to push/pull to the repository. This doesn't mean he had web administrative access, just Git access, since you cannot log in to the web service using your private key. I hope that's the case, at least.

[1]: http://homakov.blogspot.com/2012/03/how-to.html
2 comments
lrm242 5216 days ago
The way he was able to add his key was via a web-based exploit, which effectively gave him administrative web access. So yes, the list is correct.
link
tmcdonald 5216 days ago
I thought that he added his public key to the Rails user through his own account settings, which wouldn't give him access to the Rails web admin.
link
chrisrhoden 5216 days ago
This is correct. People who don't understand what a mass-assignment bug is are running with this story. It's like when we witness a DDoS and have to tollerate people who think it means that the targeted party was infiltrated.

This bug allowed one to add their public key to another user's account, and make changes to comments and issues.

link
anthonyb 5216 days ago
What are the odds that there's a similar bug which allows changes to user accounts? If that's the case, then altering the password or email address is trivial.
link
bcrescimanno 5216 days ago
FWIW, that last bullet, aside from being the most egregious example of hyperbole in TFA, shows a complete lack of understanding of how git works.
link
refulgentis 5216 days ago
Nothing in the article would lead one to believe he didn't understand the distributed nature of git repositories, but a lot in the article would lead one to believe he was specifically referring to the data loss issues on GitHub if someone wiped out a project.
link
icebraining 5216 days ago
If the project was deleted from Github, you'd just have to create a new one push a local clone to it. That's hardly what that point is saying.
link