Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It would be interesting to know the details of the vulnerability. Given that they've patched it, it would be good to see what the error was in case others are affected.

Was this Rails-related and what was it?



It was a mass assignment vulnerability in our code.


There are a number of articles that surfaced on Sunday/Monday, but in short, yes - it was a Rails mass-assignment vulnerability.


I'd like to point out that this is not a rails vulnerability, but a mistake Github engineers made, which happens to the best of us. Mass assignment is a feature and I guarantee the problem has been know for years and Github engineers were probably well aware of it.


It most certainly is a vulnerability in rails, by encouraging bad practice by design. Mass assignment should work by defaulting attributes to protected, if it should exist at all.


And yet they still fell prey to it. Insecure by default is not secure, even if you can fix the insecurities.


The same way magic_quotes was a "feature".




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: