Five Exploits at GitHub

Thursday, February 13, 2014 @ 03:02 AM gHale


Software development hosting service GitHub learned of vulnerabilities from five low-severity exploits, that, when combined, could cause a major security problem.

Researcher Egor Homakov, discovered the high-severity exploit when he combined five low-severity flaws to gain access to private GitHub repositories. While you can’t cause too much damage by exploiting the five vulnerabilities separately, it’s the combination that does the trick.

RELATED STORIES
GitHub Hit by DDoS Attack, Again
Top 10 DDoS Attack Trends
More Malware Working in Cloud
Mobile Apps Growing in DDoS Attacks

The vulnerabilities affect how the company implements authentication protocol OAuth. They include a partial open redirect, a Gist Camo bypass that allows referrer leakage, abuse of markdown caching, an OAuth token stored in CookieStore session, and automatic approval of arbitrary OAuth scope for Gist.

OAuth allows web services and applications to access GitHub user accounts without sharing passwords. But using the complex protocol is likely to cause errors that leave systems vulnerable. Homakov combined a bypass of redirect_uri validation with an access token vulnerability, which left a major security hole.

Homakov’s report was in response to a new bug-bounty program that has security researchers eager to crack the code repository. Soon after receiving Homakov’s report about his discovery, GitHub fixed the vulnerabilities and paid the researcher $4,000, the company’s biggest reward to date.

Click here for more information.



Leave a Reply

You must be logged in to post a comment.