Developer platform Github is going to be a whole infrastructure to check for suspicious actions. By a security error, could attackers extra privileges and possibly their own code to add a project.
The security error has to do with the way Rails, the framework in which Github is based, deals with the assigning of attributes. This allows outsiders to adjust the values in the projects of developers that have not to protect against mass assignment, and so itself full read and write access. Although developers can protect themselves against this abuse, this will in practice not often happen.
As a result, were a lot of Rails projects – and so also all the Github-projects – vulnerable to abuse. The flaw could be exploited on all Rails sites where the input is not well captured. So were the Linux kernel, Postereous, Speakerdeck, Scribd, and developer platform Github itself ‘vulnerable’. Projects can be protected for third parties and within a project, different roles are assigned. By the error were malicious changes to the code commit and this commit, or even the entire project to remove.
The error that the problem lies at the base was a few days ago discovered and made known by the Russian hacker Egor Homakov. To are finding force, has Homakov the vulnerability exploited to its public key to associate with the development team of Rails. Because of this, he could arise as a Rails developer, and he was able to actually have a new file to add it to the Rails project. It is not known why the hacker for this approach has been chosen. Although he is in an earlier stage already had contact with Github about his discovery, he may be out of dissatisfaction about the approach of the Rails developers chose his second discovery is not the first to report.
Homakov had made his first discovery initially via Github shared, but the Rails developers have stated that this is not a security issue of Rails and locks his topic. Their way of reaction, came the developers behind Rails on the necessary criticism.
Github now has a fix rolled out that should prevent attackers in this way, additional rights can get on with Github-hosted projects. Because the consequences of any misuse far-reaching has the ontwikkelaarsplafform announced that it is the complete codebase custom to see if the leak is previously abused.
Github is used by developers as a hosting platform for their development code, which from their workplace in a simple way can be committed to the Github project. The platform provides this in version control and an eventtracker.