Gab.com
Over the weekend, word emerged that the hacker had violated the far-right social media website Gabe and that SQL Has downloaded 70 gigabytes of data by exploiting various security flaws in the garden called injection. A quick review of Gabe’s open source code shows that a serious vulnerability – or at least one like it – was introduced by the company’s chief technical officer.
The change, known as the “Git Commit” in the discussion of software development, was made from the account of a previous Facebook software engineer who became Facebook’s software engineer in February, Gabe’s CTO in November. On Monday, Gabe removed the Git Commit from his website. Below is an image showing a February software software change, as shown from a site that provides saved committed snapshots.
This commitment demonstrates a software software developer using the name Fosco Marotto that accurately represents the type of rookie error that could lead to a breach reported this week. In particular, line 23 strips the code of “Reject” and “Filter”, which are API functions that protect against SQL injection attacks that apply to programming applications.
Developers: Clear user input
These experiments allow programmers to safely write SQL queries, ensuring that website visitors enter input boxes into search boxes and other web fields to ensure that any malicious commands are deleted before they are passed to text backend servers. Instead, the developer added a call to the Rails function with the “find_by_sql” method, which directly accepts unplanned inputs into the query string. Rails is a widely used website development toolkit.
“Unfortunately Rails documents do not warn you about this problem, but if you knew anything about using SQL databases in web applications, you would have heard of SQL injection, and it is not difficult to warn that there is no find_B_SQL method. Safe, ”Dmitry Borodenko, a former Facebook production engineer who brought the commitment to my attention, wrote in an email. “It’s not 100% confirmed that this vulnerability was used in the Gab data breach, but it certainly could be, and this code change goes back to a recent commit that was present before taking it into their Gitlab repository.
Ironically, in 2012 Fosco warned fellow programmers to use parameterized queries to prevent SQL injection vulnerabilities. Marotto did not respond to an email seeking comment for this post. An attempt to contact Gabe directly was not successful.
Exploratory history
In addition to Gabe’s commitment to raising questions about the process for developing secure codes, the social media site has also faced criticism for removing commitments from its website. Critics say the move violates the terms of the Afiro General Public License, which regulates the reuse of Mast Studon, an open source software software package for hosting guests’ social networking platforms.
Critics say Removal violates the terms for which the forked source code is linked directly to the site. The requirements are intended to provide transparency and allow other open source developers to benefit from the performance of their peers at GAB.
Gabe has long provided commitments at https://code.gab.com/. Then, on Monday, the site abruptly removed all commitments – including a serious vulnerability to the SQL vulnerability and fixed it. Instead, Gabe provided the source code in the form of a zip archive file that was protected by a “JesusCrystingTrumpv on no choice” password (quotes excluded).
Representatives of the Mastodon project did not immediately respond to emails asking whether they shared the concerns of critics.
In addition to questions about secure coding and license compliance, Gabe Git Commit also appears to be struggling with company developers. Fix their sensitive code. The image below shows someone using “developer” trying unsuccessfully to completely fix the SQL injection vulnerability code.
Thread participants respond by sarcastically pointing out the difficulty the developer is experiencing.
How to provide a case study for developers before and after the event to protect Gab’s security breach and behind-the-scenes code. No To maintain website security and code transparency. The lesson is more weighty that Gabe’s CTO account has been used in the submission, which should be better known to all.
