Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
gitlog57636yhttps://www.githubstatus.com/ is online and says it's github.com online but I can't visit
Anyone else having a problem? -
C0D4669026yThis is just follow on from the docker attack.
This was just a matter of time before repos started being held to ransom, which is why you always have a backup outside of git. -
I may be missing something here, but isn't it a bit stupid to hold a GitHub repo hostage when, by the very distributed nature of Git, everyone who has cloned the repo already has the entire history of it?
I mean, usually you'll have your own local copy of the repo. Even if it's slightly outdated, it's not much harm done, right? -
gitlog57636y
-
@gitlog That's a good point. Maybe the underlying problem here is that too many people use Git(la|hu)b|Bitbucket as the main source of truth for their repos, instead of it being their own local working copies, as it should be.
-
So... how did they get ahold of those passwords, api keys, etc.? Brute force, password db? Was there vulnerability in git? I don't get it.
@ethernetzero there was also the threat of making public a private repo.
Someone could also push a commit causing a vulnerability in any project. It's scary.
But yes, what you're saying makes sense for a lot of cases. Git repos usually can't just be deleted -
gitlog57636y@erandria there were some tokens in third party apps whose tokens got stolen (as specified by github in the joint blog)
I recommend you to visit the link once -
@gitlog I'm sorry, I swear read the whole thing and got most of it except that part.
How can someone steal a token from a third party app in the first place?
Can third party apps push commits with those tokens?
How does 2FA stop this?
nothing is making sense in me... -
gitlog57636y@erandria I guess they are asking people to implement 2FA just in case instead of tokens actually passwords were revealed as they also don't completely know how this all started
2FA doesn't affect the party to whom token was designated, the ability to push commits.
It depends on the type of token (which is generally stored in database only and don't have a specific series or something) if the party can push
This is as far as I know -
gitlog57636y@erandria as they said
"
Through immediate independent investigations, all three companies observed that user accounts were compromised using legitimate credentials including passwords, app passwords, API keys, and personal access tokens.
"
And also, they suspect gitconfig files' leak responsible they have also specified recommendations regarding that -
@gitlog They weote that there was leakage by third party apps
I would appreciate if they disclosed which ones. That's the weird part to me, that they don't address that.
I would not want to use a github app with poor token storage security.
Related Rants
Git ransom attack
https://github.blog/2019-05-14-git-...
rant
github
bitbucket
gitlab
git ransom