Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Programming Security

Rookie Coding Mistake Prior To Gab Hack Came From Site's CTO (arstechnica.com) 164

An anonymous reader quotes a report from Ars Technica: Over the weekend, word emerged that a hacker breached far-right social media website Gab and downloaded 70 gigabytes of data by exploiting a garden-variety security flaw known as an SQL injection. A quick review of Gab's open source code shows that the critical vulnerability -- or at least one very much like it -- was introduced by the company's chief technology officer. The change, which in the parlance of software development is known as a "git commit," was made sometime in February from the account of Fosco Marotto, a former Facebook software engineer who in November became Gab's CTO. On Monday, Gab removed the git commit from its website. Below is an image showing the February software change, as shown from a site that provides saved commit snapshots.

The commit shows a software developer using the name Fosco Marotto introducing precisely the type of rookie mistake that could lead to the kind of breach reported this weekend. Specifically, line 23 strips the code of "reject" and "filter," which are API functions that implement a programming idiom that protects against SQL injection attacks. This idiom allows programmers to compose an SQL query in a safe way that "sanitizes" the inputs that website visitors enter into search boxes and other web fields to ensure that any malicious commands are stripped out before the text is passed to backend servers. In their place, the developer added a call to the Rails function that contains the "find_by_sql" method, which accepts unsanitized inputs directly in a query string. Rails is a widely used website development toolkit.

"Sadly Rails documentation doesn't warn you about this pitfall, but if you know anything at all about using SQL databases in web applications, you'd have heard of SQL injection, and it's not hard to come across warnings that find_by_sql method is not safe," Dmitry Borodaenko, a former production engineer at Facebook who brought the commit to my attention wrote in an email. "It is not 100% confirmed that this is the vulnerability that was used in the Gab data breach, but it definitely could have been, and this code change is reverted in the most recent commit that was present in their GitLab repository before they took it offline." Ironically, Fosco in 2012 warned fellow programmers to use parameterized queries to prevent SQL injection vulnerabilities.

This discussion has been archived. No new comments can be posted.

Rookie Coding Mistake Prior To Gab Hack Came From Site's CTO

Comments Filter:
  • Former Facebook engineers don't make rookie coding mistakes. More likely the account was compromised.
    • by Tough Love ( 215404 ) on Tuesday March 02, 2021 @10:43PM (#61118406)

      You left off the /s

    • Re:smells fishy (Score:5, Insightful)

      by NateFromMich ( 6359610 ) on Tuesday March 02, 2021 @10:44PM (#61118408)

      Former Facebook engineers don't make rookie coding mistakes. More likely the account was compromised.

      Yeah, you might like to believe that, but I bet he just screwed up.
      Even if his account was compromised, then now you're probably talking about a different rookie mistake.

      • Re:smells fishy (Score:5, Insightful)

        by Antique Geekmeister ( 740220 ) on Wednesday March 03, 2021 @12:39AM (#61118638)

        i can attest that even a brilliant, experienced engineer can make a mistake, especially when doing tests by disabling security features and accidentally leaving them disabled.

        • i can attest that even a brilliant, experienced engineer can make a mistake, especially when doing tests by disabling security features and accidentally leaving them disabled.

          One wouldn't normally check those changes into the repository ...

          • by perpenso ( 1613749 ) on Wednesday March 03, 2021 @04:47AM (#61118916)

            i can attest that even a brilliant, experienced engineer can make a mistake, especially when doing tests by disabling security features and accidentally leaving them disabled.

            One wouldn't normally check those changes into the repository ...

            Unless one makes a rookie mistake :-), like failing to check the diff to make sure debugging code or other unwanted changes are present.

          • One wouldn't normally check those changes into the repository ...

            Of course one would normally. That's how mistakes are created. A team of people with independent verification of commits wouldn't normally check those into the repository. But if you're ever talking about "one" person making a mistake then all bets are off.

        • by jythie ( 914043 )
          Yeah, I have yet to meet an experienced developer who does not occasionally make rookie mistakes, esp when they are on a deadline or distracted or any number of other pressures that are going to be common on newly launched sites. This is why good, careful shops have a review process since that is how you catch things, not by simply hoping that experience eliminates them.
    • by mykepredko ( 40154 ) on Tuesday March 02, 2021 @11:05PM (#61118470) Homepage

      Next you'll be suggesting that Antifa put in the git commit.

    • Re:smells fishy (Score:4, Insightful)

      by dbialac ( 320955 ) on Tuesday March 02, 2021 @11:09PM (#61118484)
      Or it was done intentionally.
      • Took it right out of my mouth. It could very well be a deliberate sabotage, especially since it was made against a site which notoriously has many users of a specific political ideology.
    • Re:smells fishy (Score:5, Informative)

      by thadtheman ( 4911885 ) on Tuesday March 02, 2021 @11:40PM (#61118546)

      Your logic doesn't necessarily hold, but there is one aspect which suggests thatg your conclusion is right.

      Looking at the code, AFAICSI, a safe query was replaced with an unsafe query. The change would have no other effect. So it would seem to be a deliberate backdoor introduced.

      • Looking at the code, AFAICSI, a safe query was replaced with an unsafe query. The change would have no other effect.

        Perhaps the CTO thought that it might speed up the code? Perhaps the CTO is a moron who just wanted to simplify the codebase (it was a lot fewer lines).

      • by Luthair ( 847766 )
        I'm not a ruby guy, but to me the new query looks likely to be significantly more complex than the original one.
      • Your logic doesn't necessarily hold, but there is one aspect which suggests thatg your conclusion is right.

        Looking at the code, AFAICSI, a safe query was replaced with an unsafe query. The change would have no other effect. So it would seem to be a deliberate backdoor introduced.

        He was probably obsessing over performance since he was worried about DDOS or something and was trying to "optimize" the code base.

        Or he didn't like that "Status.as_home_timeline" function for some reason and was trying to get rid of it.

        Or something else entirely, I've done enough code reviews to have learned there's infinite reasons for programmers to write bad code.

        As for it being a deliberate backdoor there's really no evidence for it and lots of evidence against it.

        For one, who wrote the backdoor?

        If his

    • Re:smells fishy (Score:5, Informative)

      by h33t l4x0r ( 4107715 ) on Wednesday March 03, 2021 @12:14AM (#61118594)
      This guy was obviously just trying to get something up fast and realized there was little chance of the site taking off anyway. This is where you expect to see comments like "# drunk now, fix later."
      • by hey! ( 33014 )

        Not really. I looked up the API; it's just as easy to have find_by_sql to use prepared statements or to do input sanitizing as it is to build a string and hand it to the function.

    • Re:smells fishy (Score:5, Insightful)

      by hey! ( 33014 ) on Wednesday March 03, 2021 @12:51AM (#61118646) Homepage Journal

      Why do you think he is a *former* Facebook engineer?

      Snarking aside, anybody can make a rookie mistake, that's why you do code review, even when it's the boss. But building a query string from user input and handing it to a function that calls a SQL (or any) interpreter is not the kind of rookie mistake that even experts might make in a moment of inattention. Any function that executes a string as SQL ought to set off alarm bells.

      • by pjt33 ( 739471 )

        Executing a string as SQL is fine, so long as it's static.

        • static doesn't mean immutable.
        • by hey! ( 33014 )

          As long as it is a *string literal*. In other words:

                  do_some_sql_thing("string literal")

          is fine; but

                  do_some_sql_thing(stringVar)

          should trigger a closer look. Even if stringVar is an immutable variable, it may have been initialized with user input.

    • Former Facebook engineers don't make rookie coding mistakes.

      Yeah, they would never write code in PHP.

      In any case, I will tell you that this SQL won't scale [archive.vn].

      Also, this code is kind of deprecated ruby:
      def get(limit = 20, max_id = nil, since_id = nil, min_id = nil)

    • by mattyj ( 18900 )

      Someone with the title CTO certainly knows what a code review is. Or perhaps CTO/lead/only programmer are all one guy.

      If he's a former facebook engineer and doesn't know how to write, verify, test and deploy quality code, no wonder he's former.

      • You mean because they gave themselves the title ?
        YOu dont need a special license to call yourself a CTO.

        The garbo that picks up your gabrage is more qualified they actually are certified at using garbage trucks
    • Given how buggy Facebook has been over the years, why on earth would you make such a claim? Furthermore, how much Rails usage is there at FB compared with say PHP? Even so, it doesn't mean this person used it when they were there.

      Or maybe you would just trying to be funny in a sarcastic way?

    • Conspiracy theories are much more fun, but Ocam's Razor says the simpler explanation is usually right. So rather than a successful cyber attack (NOT using SQL injection) followed by a successful intrusion, access to the source code, and an update to the source code to enable an SQL injection attack, Ocam says the CTO screwed up. BTW, the source code repo says the same thing.

    • Re:smells fishy (Score:4, Insightful)

      by laddiebuck ( 868690 ) on Wednesday March 03, 2021 @11:08AM (#61119642)

      I was a senior software engineer at Facebook and I'm 0% surprised. Haven't you heard of move fast and break things? The emphasis was always on code velocity, not quality.

  • by mykepredko ( 40154 ) on Tuesday March 02, 2021 @11:02PM (#61118458) Homepage

    I'm not being facetious - a CTO should have more important tasks and responsibilities than writing production code. If they don't take away the title (and salary), plop them down in a cubicle and have them work for a living. Otherwise you have a part time coder and that's just about the most dangerous thing out there.

    Isn't this the most basic rule out there?

    • by brian.stinar ( 1104135 ) on Wednesday March 03, 2021 @12:03AM (#61118576) Homepage

      Your statement is accurate and makes sense for a well functioning organization. Unfortunately, small startups do not normally fit this bill.

      What happens in a startup is you can give people whatever title you want to make up. Titles are very inexpensive, and easy to change. What probably happened is the founders created a CTO title for someone, impressed them with the title, and then used that and equity (also inexpensive) to avoid actually paying a large number of people with a varied collection of roles. I've actually had this offer, multiple times, for startups that want to save on their web development costs. My response is normally "No, I'm not interested in becoming your CTO so you can save on your web development costs. We can put together a contract, and I can delegate these issues to my team members that focus more on this level of challenge daily."

      I've seen someone go from "intern" to "CEO" because of this. It was actually not a good thing, since this woman's expectations were totally unrealistic afterward. It would have made more sense to call her a "marketing coordinator" or "evangelist" but that probably would not have motivated her as much as "CEO." She's actually taken this off her LinkedIn, as I'm sure she realized how crazy this is. It's probably not a good idea to have a student as a C-level executive...

      People are motivated by lots of different things. Sometimes those things can be good, and sometimes those things can result in problems later.

    • I'm not being facetious - a CTO should have more important tasks and responsibilities than writing production code.

      And a CEO should have more important tasks than personally tweaking the company's logo - but we've seen that happen, too.

      Some people just can't keep from meddling.

    • Doesn't this also point to another problem too: lack of code review process? That should be the CTO's responsibility to ensure is happening in the absence of a head of engineering.

  • by tgibson ( 131396 ) on Tuesday March 02, 2021 @11:07PM (#61118480) Homepage

    is the only developer in a one-programmer shop, or if he was poking his nose into an IT team's codebase where it doesn't belong.

  • oh. Wait, what? (Score:4, Insightful)

    by sammy baby ( 14909 ) on Tuesday March 02, 2021 @11:19PM (#61118512) Journal

    "Sadly Rails documentation doesn't warn you about this pitfall, but if you know anything at all about using SQL databases in web applications, you'd have heard of SQL injection, and it's not hard to come across warnings that find_by_sql method is not safe," Dmitry Borodaenko, a former production engineer at Facebook who brought the commit to my attention wrote in an email. "It is not 100% confirmed that this is the vulnerability that was used in the Gab data breach, but it definitely could have been, and this code change is reverted in the most recent commit that was present in their GitLab repository before they took it offline." Ironically, Fosco in 2012 warned fellow programmers to use parameterized queries to prevent SQL injection vulnerabilities.

    So, this was the vulnerability, unless maybe it wasn't the vulnerability, because we don't know.

    Also, Rails documentation absolutely does warn you about the ">pitfalls of using find_by_sql [slashdot.org] indiscriminately:

    Ruby on Rails has a built-in filter for special SQL characters, which will escape ' , " , NULL character, and line breaks. Using Model.find(id) or Model.find_by_some thing(something) automatically applies this countermeasure. But in SQL fragments, especially in conditions fragments (where("...")), the connection.execute() or Model.find_by_sql() methods, it has to be applied manually.

  • Why would he remove the filter? Why would a change made in February be discovered that fast by hackers? The mistake was he thought the method of entry wouldn't be discovered and traced back to him. I'm sure there are plenty of people willing to slip the CTO money to destroy Gab and this smells like it. Get a search warrant.
    • by ssyladin ( 458003 ) on Tuesday March 02, 2021 @11:54PM (#61118566)

      There are literally services that scan all public git commits and report vulnerabilities. In my case it was a one-use cloud service connection string hard-coded and checked-in for a throw away pair coding session (and throw away cloud service). But the point stands - have your always-watching service scan for regex patterns in commits in certain repos and hope you get a bite. Nefariousness ensues.

  • by tannhaus ( 152710 ) on Tuesday March 02, 2021 @11:52PM (#61118562) Homepage Journal

    The inept always get promoted... then they crack the whip over you wondering why you can't achieve the unachievable in the unrealistic time frame they set for you.

    • by cusco ( 717999 )

      That's called the 'Peter Principle'.

      https://en.wikipedia.org/wiki/... [wikipedia.org]
      "employees are promoted based on their success in previous jobs until they reach a level at which they are no longer competent"

      I had no idea that the book was originally meant to be satire.

  • Rookies are taught to use ActiveRecord models and pagination plugins. No, I'm afraid you'd have to be quite advanced indeed to do something this stupid.
  • by battingly ( 5065477 ) on Wednesday March 03, 2021 @12:31AM (#61118616)
    TFA is clueless. Nobody would make a change that has no effect other than to compromise security as a "rookie mistake". Either his account was compromised or the CTO willfully inserted a vulnerability.
  • by PinkyGigglebrain ( 730753 ) on Wednesday March 03, 2021 @01:36AM (#61118694)

    Going to put the tin foil hat on and activate Conspiracy Theorist Mode for a few moments.

    Did the old code have a vulnerability already or did the new code add it?

    If the old version didn't have the flaw then one could consider that the commit effectively added a back door with built in plausible deniability.

    Either the CTO's credentials were compromised, or the CTO wanted a way into the servers that could be denied, or he is just a crappy programmer.

    Probably the latter but the other options are interesting to consider.

  • by mattventura ( 1408229 ) on Wednesday March 03, 2021 @01:44AM (#61118704) Homepage
    Trying to filter input is not how you effectively protect against injection, prepared statements are. That might have been good advice 15 years ago, not in 2021. Not saying you shouldn't validate input, but using it in place of statements is incredibly bad security. The sad part is, in many languages/libraries, it's not even any harder than using a string format.
    • by pjt33 ( 739471 )

      That might have been good advice 15 years ago

      No. Mysql added prepared statements in 2004, Postgres in 2002.

  • Wonderful (Score:3, Insightful)

    by Quakeulf ( 2650167 ) on Wednesday March 03, 2021 @03:51AM (#61118868)

    Gab is such an unending shitshow, the perfect containment chamber for dumb people.

  • How is Gab far-right? Is Twitter far-left then?
  • Dunning Kruger (Score:4, Insightful)

    by Martin S. ( 98249 ) on Wednesday March 03, 2021 @07:48AM (#61119154) Journal

    You have to wonder just how deeply the Dunning Kruger effect [wikipedia.org] goes with these people; Its level of incompetence doesn't just apply to a single field, the lack of meta-cognition applies right across the scope of everything, it is fundamentally a lack of common sense to not constantly consider the limits of one's own knowledge.

  • by armada ( 553343 ) on Wednesday March 03, 2021 @10:44AM (#61119578)
    Are we going to start reffering to Twitter as “far-left social media site Twitter” going forward? I’m asking for a friend...
  • Fosco Da Rookie (Score:4, Interesting)

    by GetOffGab ( 7829542 ) on Wednesday March 03, 2021 @12:42PM (#61120020)
    I worked briefly with Fosco years prior to him working at Facebook. His code then was a hack job piece-mealed from Stack Overflow posts. I fixed numerous XSS and SQL injection issues with his code back then, and not surprisingly, he was simply not paid for the work and then whined like a girl. It should be no surprise that Gab has little to no idea of all the code behind Mastodon and the hacks they are introducing to it in attempts to "improve performance" because they have no real hosting infrastructure at Epik and are just grifting for Bitcoin. Pretty much everything they claim to have built from scratch in-house is just a forked existing open source solution they have bastardized and ran a search/replace on. They don't even want to give Mastodon devs any credit. All of the open source projects they've forked for no real purpose other than to claim it as their own seem to hate them equally.

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...