Rookie coding mistake prior to Gab hack came from site’s CTO

by
Dan Goodin
from Ars Technica - All content on (#5EV8T)
gab-silicon-valley-800x450.jpg

Enlarge (credit: Gab.com)

Over the weekend, word emerged that a hacker breached far-right social media website Gab and downloaded 70 gigabytes of data by exploiting a garden-variety security flaw known as an SQL injection. A quick review of Gab's open source code shows that the critical vulnerability-or at least one very much like it-was introduced by the company's chief technology officer.

The change, which in the parlance of software development is known as a git commit," was made sometime in February from the account of Fosco Marotto, a former Facebook software engineer who in November became Gab's CTO. On Monday, Gab removed the git commit from its website. Below is an image showing the February software change, as shown from a site that provides saved commit snapshots.

marotto-git-commit.jpg

(credit: Archive.vn)

The commit shows a software developer using the name Fosco Marotto introducing precisely the type of rookie mistake that could lead to the kind of breach reported this weekend. Specifically, line 23 strips the code of reject" and filter," which are API functions that implement a programming idiom that protects against SQL injection attacks.

Read 10 remaining paragraphs | Comments

index?i=kKm3_dedkMM:q6b5UBc0q7w:V_sGLiPB index?i=kKm3_dedkMM:q6b5UBc0q7w:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments