Naija Tech News (NTN) on 09, and in content, GitHub was hacked, and unknown persons pretended to be CEO, GitHub .
The reason is that all its source code has been leaked!
From a blog post by developer Resynth, I learned that in a suspicious Commit submitted to GitHub’s official DMCA repository, an unidentified person used a bug in the GitHub application to impersonate GitHub CEO Nat Friedman (Nat Friedman) uploaded the confidential source code.
All leaked files have been deleted
GitHub must be very familiar to everyone, it is a large code repository, mainly for enterprises and developers to provide hosting projects and service code. Apple, Amazon, Google, Facebook and many other large technology companies are its main customers. At the same time, GitHub has hosted more than 100 million repositories and provided resource support for 40 million developers.
Therefore, this leak quickly rushed into the hot search of Hacker News, and many developers expressed concern about the security of the GitHub platform.
In this regard, GitHub CEO Friedman himself explained it in a hot post for the first time. He said,
GitHub was not hacked, and part of the source code of GitHub Enterprise Server was leaked. Although the two share a lot of code, GitHub is mainly written in Ruby, and there is still a big difference.
In addition, the cause of this incident was that a few months ago, developers inadvertently delivered an undesensitized/obfuscated tarball of the enterprise server source code to some customers. We are working hard to fix platform bugs to prevent unauthorized and unknown persons from arbitrarily stealing and modifying other people’s projects through forged identities.
In the end, Friedman even chanted Browning’s poem in order to appease users: Everything is fine, the situation is normal, the skylark is flying, the snail is crawling on the thorns, everything goes well in the world!
However, the developers did not buy into this response. Judging from their complaints, the Github code management system already has many bugs. For example, when submitting the code, Git will not verify the user’s identity. This will bring a great security risk to the source code, but the GitHub platform has never taken it seriously.
In addition, some people said that it was this flaw that allowed unknown people to post confidential code as Friedman.
The source code manager Git has a bug
Since this is a quiet lengthy article, we have added a table of contents for easier navigation.
Git is a distributed version management system used by Github to host source code. Simply put, it is a source code manager.
Its design has an obvious flaw, that is, it does not provide too much protection to prevent other users from embezzling. Specifically, the process of Git uploading code files is similar to sending an email. The user can enter any information in the user.name and user.email fields. In this process, if the GPG key association is not used between the two fields, the system will not check its designated source, and information fraud will become very easy.
The successful submission of the above unknown person is obviously because Friedman did not establish a GPG (General Planning Group) key for the relevant field.
So, after bypassing this level of restriction, how can unknown persons submit to the repository without harming the actual accounts? It is understood that uploading the submission to the Git repository will result in a hash that can be used to find the tree. GitHub is part of the web application and provides access to the underlying Git structure in the browser. Therefore, it can store all branches of the Git repository in a single underlying repository, although usually not in the URL structure Show this way.
In order to fake someone else’s account, the unknown person first needs to clone a DMCA repository. After expanding to the repository, submit the leaked source code and forge Friedman’s name and email address. Errors may occur in the Fork repository during this process. In other words, the URL may still point to the real username and account of the impersonator.
But on the underlying Git, both the parent and the fork are part of the same repository, which will allow the impostor to create a URL that can be submitted in the main repository instead of in the fork.
Therefore, the counterfeiter starts at https://github.com/github/dmca and appends tree/$hash to the end, where $hash is the hash value submitted by the attacker’s own fork.
As a result, the impersonator was able to use a URL instead of Friedman to submit his confidential code on GitHub.
It is worth mentioning that, in addition to the code security concerns, this incident has once again attracted the attention of developers to GitHub’s open source attitude. For a long time, GitHub has been criticized for not disclosing the source code, and just a few days ago, GitHub once again fell into a public opinion storm for banning the video artifact YouTube-dl.
It is understood that the occurrence of this leak is likely to be the revenge of the unknown developer for blocking YouTube-dl.
Last month, at the request of the Recording Industry Association of America (RIAA), GitHub blocked 75,000 Star’s popular open source project YouTube-dl.
The reason given by RIAA at that time was that YouTube-dl violated the DMCA’s anti-circumvention provisions:
The explicit purpose of this source code is: 1) To circumvent the technical protection measures used by authorized streaming services such as YouTube; 2) Unauthorized copying and distribution of music videos and audios owned by member companies. 3) In addition to YouTube, the source code supports more websites to download videos on GitHub.
But GitHub delisted YouTube-dl, but it angered the developers. They copied and uploaded a large number of code copies on GitHub to protest the delisting behavior. Currently searching for YouTube-dl on GitHub, there are as many as 4108 relevant results.
Later, GitHub’s legal team had to issue the latest warning, saying that if they continue to publish copies of the code, they may be blocked.
Please note that republishing a copy of the YouTube-dl code without following the process is a violation of the GitHub platform DMCA policy and terms of service. If you continue to submit or post relevant content to the repository while knowingly violating the terms of service, we will delete it and may suspend access to your account.
Although the unknown person who caused the leak did not publicly comment on the incident, some speculated that it might be his revenge for delisting the project on GitHub.
In addition, in Friedman’s response to the leak, many netizens expressed dissatisfaction with GitHub’s removal of YouTube-dl due to the DMCA agreement.
Another user said that the reason GitHub did this is probably because Microsoft is a member of RIAA. He said that the delisting required by the DMCA is not to delist the copyright holders of the code. As an independent company that advocates open source, GitHub does not need to comply with the illegal request of RIAA.
It can be seen that the dissatisfaction of netizens is displayed because the ban is contrary to GitHub’s original intention of open source.
GitHub open source spirit provokes controversy
In 2018, Microsoft acquired GitHub for $7.5 billion. The new CEO Nat Friedman once said: GitHub will always insist on developer first and independent operation.
Resynth also said in his blog: Microsoft has repeatedly emphasized its commitment to open source, which we can often see from many commercial advertisements. Its purpose is to make Microsoft at the forefront of open source development.
But now it seems that Microsoft has not done what it promised. And YouTube-dl is just a recent example. In fact, GitHub has been widely criticized in the industry for keeping its source code secret.
In addition, Resynth also reminded that this incident also had to make people worry about the security of GitHub source code. Because closed-source applications perform “Security By Obscurity”, that is, the source code is hidden to reduce security risks. If GitHub really makes the source code public, it is likely to compromise its overall security.
If you think this post can be helpful to somebody else, please share it on Twitter, Facebook or Whatsapp it to friends. There are buttons below for this (easy to use too)! Join Over 5,000 + Readers. Get a free daily update via Email HERE
YOU MAY LIKE
Note: off comments will be trashed and you will be marked as Spam! use contact us, if it's required.