Gab.com
Over the weekend, news broke that a hacker had hacked the right-wing social media site Gab and downloaded 70 gigabytes of data by exploiting a security flaw in the garden, an SQL injection. A quick review of Gab’s open source code shows that the critical vulnerability – or at least one that is a lot of it – was introduced by the company’s chief technology officer.
The change, known in the language of software development as a ‘git commit’, was made sometime in February from the report by Fosco Marotto, a former software engineer from Facebook who in November Gab’s CTO has become. On Monday, Gab removed the git link from his website. Below is an image showing the February software change, as shown from a website that provides saved snapshots.
The bet shows that a software developer is using the name Fosco Marotto which introduces exactly the kind of smoking bug that could lead to the kind of violation reported over the weekend. Specifically, stripe line 23 strips the code of ‘reject’ and ‘filter’, which are API functions that implement a programming idiom that protects against SQL injection attacks.
Developers: User input must be disinfected
With this idiom, programmers can safely compile an SQL query that “disinfects” the input that website visitors enter into search blocks and other web fields to ensure that any malicious commands are extracted before the text is transmitted to the backend servers . In their place, the developer added a call to the Rails function that contains the “find_by_sql” method, which accepts unsanitized inputs directly into a query string. Rails is a widely used toolkit for website development.
“Unfortunately, Rails documentation does not warn you about this pitfall, but if you know anything about the use of SQL databases in web applications, you would have heard of SQL injection, and it is not difficult to come across warnings that find_by_sql method is not. safe, ”wrote Dmitry Borodaenko, a former Facebook production engineer who brought the commitment to my attention. ‘It’s not 100% confirmed that this is the vulnerability used in the Gab data breach, but it could have been, and this code change is being reinstated in the most recent commitment found in their GitLab repository before they took it offline. ”
Ironically, in 2012, Fosco warned co-programmers to use parameterized queries to prevent vulnerabilities with SQL injection. Marotto did not respond to a request for comment on this post. Attempts to contact Gab directly failed.
Revisionist history
Aside from the questions being asked about Gab’s process of developing secure code, the social media site is also being criticized for removing the links from his site. Critics say the move violates the terms of the Affero General Public License, which applies to the reuse of Gab of Mastodon, an open source software package for offering social networking platforms.
Critics say the removal is in violation of the terms and conditions that require fork source code to be linked directly from the site. The requirements are intended to provide transparency and allow other open source developers to take advantage of the work of their peers at Gab.
Gab has long provided connections at https://code.gab.com/. Then, on Monday, the site abruptly removed all connections – including those that created and repaired the critical vulnerability of the SQL injection. In their place, Gab provided source code in the form of a zip archive file protected by the password “JesusChristIsKingTrumpWonTheElection” (minus the quotes).
Representatives of the Mastodon project do not immediately respond to an email asking if they share the critics’ concerns.
In addition to questions about secure encryption and license compliance, it appears that the Gab git also shows that developers of the company are struggling to do so recover their vulnerable code. The image below shows how someone uses the username “developer” to successfully resolve the code that contains the vulnerability of SQL injection.
Participants in the thread respond sarcastically to the problems the developer appears to be experiencing.
Gab’s security breach and behind-the-scenes handling of code before and after the incident provides a case study for developers on how not to maintain the security and code transparency of a website. The lesson is all the more weighty as the submission makes use of Gab’s CTO report, which among all people should have known better.