11-06-2020 , 02:54 AM
https://www.zdnet.com/article/github-den...ng-hacked/ GitHub denies getting hacked
Someone attached a copy of the GitHub Enterprise Server source code to GitHub's DMCA section, but the GitHub CEO said they mistakenly leaked that code months ago.
Catalin Cimpanu
By Catalin Cimpanu for Zero Day | November 5, 2020 -- 14:06 GMT (06:06 PST) | Topic: Security GitHub has denied rumors today of getting hacked after a mysterious entity shared what they claimed to be the source code of the GitHub.com and GitHub Enterprise portals.
The "supposed" source code was leaked via a commit to GitHub's DMCA section.
The commit was also faked to look like it originated from GitHub CEO Nat Friedman.
But in a message posted on YCombinator's Hacker News portal, Friedman denied that it was him and that GitHub got hacked in any way.
Friedman said the "leaked source code" didn't cover all of GitHub's code but only the GitHub Enterprise Server product. This is a version of GitHub Enterprise that companies can run on their own on-premise servers in case they need to store source code locally for security reasons but still want to benefit from GitHub Enterprise features.
Friedman said this source code had already leaked months before due to its own error when GitHub engineers accidentally "shipped an un-stripped/obfuscated tarball of our GitHub Enterprise Server source code to some customers." Friedman promised that GitHub was going to fix the two bugs exploited by the leaker and prevent unauthorized parties from attaching their code to other people's projects via faked identities.
"In summary: everything is fine, situation normal, the lark is on the wing, the snail is on the thorn, and all's right with the world," Friedman said.
NOT THE FIRST TIME
But this is not the first time that this happened on GitHub.
One of the two bugs was used just days earlier when a security researcher attached the source code of the youtube-dl library to GitHub's DMCA section.
The security researcher's gesture came as a form of protest after GitHub decided to honor a suspicious DMCA takedown request against the youtube-dl library from music recording industry group RIAA. While the mystery leaker never explained their actions, it is believed that the person who leak the GitHub Enterprise Server code was also protesting against GitHub's decision to honor RIAA's DMCA request and take down youtube-dl, a project that lets users download raw audio and video files from YouTube and other services — which RIAA argued was heavily used to pirate its songs catalog.
For the past week, hundreds of other users have been re-uploading the youtube-dl code on their own accounts and daring RIAA to send them a DMCA request too. GitHub has warned users not to do so, as they risk getting banned by its automated systems.
Someone attached a copy of the GitHub Enterprise Server source code to GitHub's DMCA section, but the GitHub CEO said they mistakenly leaked that code months ago.
Catalin Cimpanu
By Catalin Cimpanu for Zero Day | November 5, 2020 -- 14:06 GMT (06:06 PST) | Topic: Security GitHub has denied rumors today of getting hacked after a mysterious entity shared what they claimed to be the source code of the GitHub.com and GitHub Enterprise portals.
The "supposed" source code was leaked via a commit to GitHub's DMCA section.
The commit was also faked to look like it originated from GitHub CEO Nat Friedman.
But in a message posted on YCombinator's Hacker News portal, Friedman denied that it was him and that GitHub got hacked in any way.
Friedman said the "leaked source code" didn't cover all of GitHub's code but only the GitHub Enterprise Server product. This is a version of GitHub Enterprise that companies can run on their own on-premise servers in case they need to store source code locally for security reasons but still want to benefit from GitHub Enterprise features.
Friedman said this source code had already leaked months before due to its own error when GitHub engineers accidentally "shipped an un-stripped/obfuscated tarball of our GitHub Enterprise Server source code to some customers." Friedman promised that GitHub was going to fix the two bugs exploited by the leaker and prevent unauthorized parties from attaching their code to other people's projects via faked identities.
"In summary: everything is fine, situation normal, the lark is on the wing, the snail is on the thorn, and all's right with the world," Friedman said.
NOT THE FIRST TIME
But this is not the first time that this happened on GitHub.
One of the two bugs was used just days earlier when a security researcher attached the source code of the youtube-dl library to GitHub's DMCA section.
The security researcher's gesture came as a form of protest after GitHub decided to honor a suspicious DMCA takedown request against the youtube-dl library from music recording industry group RIAA. While the mystery leaker never explained their actions, it is believed that the person who leak the GitHub Enterprise Server code was also protesting against GitHub's decision to honor RIAA's DMCA request and take down youtube-dl, a project that lets users download raw audio and video files from YouTube and other services — which RIAA argued was heavily used to pirate its songs catalog.
For the past week, hundreds of other users have been re-uploading the youtube-dl code on their own accounts and daring RIAA to send them a DMCA request too. GitHub has warned users not to do so, as they risk getting banned by its automated systems.