Dev

Github community in turmoil after hacker exposes massive security flaw

Github, the service that many professional programmers use to store their work and collaborate on coding, was hacked over the weekend. A young Russian named Egor Homakov showcased a loophole in Github that would allow anyone to commit to the master copy of a project, meaning they could alter or delete the source code. But when his account was suspended by Github, a furious argument broke among developers out about his intentions. Was he doing the community a service by exposing the flaw or taking things too far with a very public hack?

It seems that four days ago Homakov tried to alert the folks behind Rails, one of the most popular programming languages, and the one used to create Github itself, about the security flaw. There was some back and forth for a day, and eventually the powers that be decided to close the thread, writing that “There was a proposal about changing that flag in #4062 and the consensus is the pros of the default configuration outweigh the pros of the alternative.”

But Homakov was’t going to go down without a fight. Since he couldn’t get things fixed through the proper channels, he decided to use the exploit himself. He used the loophole to give himself access to Ruby on Rails code repository and left a message confirming that any project on Github was indeed vulnerable. He didn’t change any code or do anything malicious.

When Github saw what happened, they suspended Homakov’s account, which created a firestorm of protest. A blog post entitled, Github, You Have Let Us All Down shot to the top of Hacker News, the world’s biggest news board for programmers. Github users threatened to pack up their projects and head to alternative services, claiming they felt vulnerable to hackers and betrayed by the response.

In the end, Github restored Homakov’s account and issued a public apology. It was a reminder that Github, which has become the defacto platform for collaborative coding, needs to take security very seriously. Software engineers often use their Github accounts as resumes when applying for jobs, so they have to feel their work is safe from tampering.

It was also an example of when the wisdom of the crowd got things wrong. Github exemplifies the benefits of open, collaboration. In this case, though, the wisdom of the crowds got things wrong, and it took a single contrarian, willing to work by any means to necessary, to show the community the danger they were in.


Mobile developer or publisher? VentureBeat is studying mobile marketing automation. Fill out our 5-minute survey, and we'll share the data with you.