Gab.com
Over the weekend, news broke that a hacker breached the far-right social media site Gab and downloaded 70 gigabytes of data exploiting a common security hole known as SQL injection. A quick review of Gab’s open source code shows that the critical vulnerability – or at least a very similar one – was introduced by the company’s chief technology officer.
The change, which in software development jargon is known as “git commit”, was made in February from the account of Fosco Marotto, a former Facebook software engineer who in November became Gab’s CTO. On Monday, Gab removed the git commit from his website. Below is an image showing the February software change, as shown on a website that provides saved commit snapshots.
The commit shows a software developer using the name Fosco Marotto showing precisely the type of rookie error that can lead to the type of breach reported this weekend. Specifically, line 23 removes the “reject” and “filter” code, which are API functions that implement a programming language that protects against SQL injection attacks.
Developers: clear user input
This language allows programmers to compose an SQL query in a safe manner that “sanitizes” the entries that website visitors enter in search boxes and other web fields to ensure that any malicious commands are eliminated before the text is passed on to the backend servers. In its place, the developer added a call to the Rails function that contains the “find_by_sql” method, which accepts unhygienic input directly into a query string. Rails is a widely used website development toolkit.
“Unfortunately the Rails documentation doesn’t warn you about this pitfall, but if you know anything about using SQL databases in web applications, you’ve heard of SQL injection and it’s not hard to find warnings that the find_by_sql method it’s not safe, ”wrote Dmitry Borodaenko, a former Facebook production engineer who called my attention to the commit in an email. “It is not 100% confirmed that this is the vulnerability that was used in Gab’s data breach, but it definitely could have been, and that code change is reversed in the most recent commit that was present in your GitLab repository before being taken offline . “
Ironically, Fosco in 2012 warned other programmers to use parameterized queries to avoid SQL injection vulnerabilities. Marotto did not respond to an email asking for comments on this post. Attempts to contact Gab directly were unsuccessful.
Revisionist History
In addition to the commit raising questions about Gab’s process for developing secure code, the social media site is also facing criticism for removing commits from its site. Critics say the measure violates the terms of the Affero General Public License, which governs the reuse of Mastodon, an open source software package to host social media platforms.
Critics say the removal violates terms that require the forked source code to be directly linked to the site. The requirements are intended to provide transparency and allow other open source developers to benefit from the work of their colleagues at Gab.
Gab has long been providing commits at https://code.gab.com/. Then, on Monday, the site suddenly removed all commits – including those that created and fixed the critical SQL injection vulnerability. In its place, Gab provided the source code in the form of a Zip file protected by the password “JesusChristIsKingTrumpWonTheElection” (without the quotes).
Representatives of the Mastodon project did not immediately respond to an email asking whether they shared the critics’ concerns.
In addition to questions about secure coding and license compliance, Gab git commits also seem to show the company’s developers struggling to fix your vulnerable code. The image below shows someone using the username “developer” trying, unsuccessfully, to fully fix the code that contains the SQL injection vulnerability.
Thread participants respond by sarcastically pointing out the difficulty the developer seemed to be having.
Gab’s security breach and handling the code behind the scenes before and after the incident provide a case study for developers on how to no to maintain the security and transparency of a website’s code. The lesson is all the more important as the presentation used the account of Gab’s CTO, who among all people should know better.