Over the weekend, reports emerged that a hacker hacked into far-right social media website Gab and downloaded 70 gigabytes of data by exploiting a security flaw in the yard known as an SQL injection. A quick look at Gab’s open source code shows that the critical vulnerability — or at least one very similar to it — was introduced by the company’s chief technology officer.
The change, known in software development parlance as a “git commit,” was made sometime in February based on the account of Fosco Marotto, a former Facebook software engineer who became Gab’s CTO in November. On Monday, Gab removed the git commit from his website. Below is an image showing the February software change, as shown from a site that provides saved capture snapshots.
The commit shows a software developer going by the name Fosco Marotto introducing exactly the kind of rookie error that could lead to the kind of breach reported this weekend. In particular, line 23 removes the code from “reject” and “filter”, which are API functions that implement a programming idiom that protects against SQL injection attacks.
Developers: clean up user input
This idiom allows programmers to securely construct an SQL query that “cleans” the input website visitors enter into search boxes and other web fields to ensure that any malicious commands are removed before passing the text to the backend servers. Instead, the developer added a call to the Rails function that includes the “find_by_sql” method, which accepts uncleaned input directly into a query string. Rails is a widely used toolkit for developing websites.
“Unfortunately, Rails documentation doesn’t warn you about this pitfall, but if you know anything about using SQL databases in web applications, you would have heard of SQL injection, and it’s not hard to come across warnings that find_by_sql method is not secure,” Dmitry Borodaenko, a former production engineer at Facebook who brought the union to my attention, wrote in an email. “It’s not 100% confirmed that this is the vulnerability used in the Gab data breach, but it certainly could be, and this code change is rolled back in the most recent commit that was present in their GitLab repository before they took it offline.”
Ironically, in 2012, Fosco warned fellow programmers to use parameterized queries to avoid SQL injection vulnerabilities. Marotto did not respond to an email requesting comments for this post. Attempts to contact Gab directly were unsuccessful.
In addition to raising questions about Gab’s process for developing secure code, the social media site has also been criticized for removing the commits from its website. Critics say the move violates the terms of the Affero General Public License, which regulates Gab’s reuse of Mastodon, an open source software package for hosting social networking platforms.
Critics say: the removal violates terms that require the forked source code to be linked directly from the site. The requirements are intended to provide transparency and allow other open source developers to benefit from the work of their colleagues at Gab.
Gab had long given commits at https://code.gab.com/. Then, on Monday, the site suddenly removed all commits, including those that created and then patched the critical SQL injection vulnerability. Instead, Gab provided the source code in the form of a zip archive file protected by the password “JesusChristIsKingTrumpWonTheElection” (minus the quotes).
Representatives of the Mastodon project did not immediately respond to an email asking if they shared the critics’ concerns.
In addition to questions about secure encryption and licensing compliance, the Gab git commits also seem to show that enterprise developers struggle with: fix their vulnerable code. The image below shows someone using the username “developer” and unsuccessfully trying to fully repair the code with the SQL injection vulnerability.
Thread participants respond by sarcastically pointing out the difficulty the developer appeared to be having.
Gab’s security breach and behind-the-scenes code processing before and after the incident provide developers with a case study on how not to maintain the security and code transparency of a website. The lesson is all the more important because the entry used the report from Gabs CTO, who should have known better of all people.