12 votes

Gab removes their public Git repository after it reveals their developers adding (and struggling to fix) basic security issues that led to a 70GB data leak

Posted March 2, 2021 by Deimos

Tags: social media, security, gab, open source, data leaks, developers.software, data, author.dan goodin, source.ars technica

https://arstechnica.com/gadgets/2021/03/rookie-coding-mistake-prior-to-gab-hack-came-from-sites-cto/

Link information

This data is scraped automatically and may be incorrect.

Title: Rookie coding mistake prior to Gab hack came from site's CTO
Authors: Dan Goodin
Published: Mar 2 2021
Word count: 672 words

3 comments

[3]
joplin
March 3, 2021
Link
While I hate Gab as much as the next person, I'm sure I've written my share of code that was subpar for my abilities. I've written stuff for a test while debugging then forgotten to take it out....

While I hate Gab as much as the next person, I'm sure I've written my share of code that was subpar for my abilities. I've written stuff for a test while debugging then forgotten to take it out. I've written stuff under pressure and wasn't careful. I've probably bungled a complex merge resulting in some questionable code, as well. I have a hard time thinking less of a developer because of a mistake they made. (But I have a real easy time thinking less of them because of the hate-filled platform they're working on.)

8 votes
1. [2]
  stu2b50
  March 3, 2021 (edited March 3, 2021)
  Link Parent
  Eh, while the matter of whether or not to think less of the person in question is something I'm not going to get into, this is an extremely egregious error, not just a simple logical mistake. For...
  
  Eh, while the matter of whether or not to think less of the person in question is something I'm not going to get into, this is an extremely egregious error, not just a simple logical mistake.
  
  For one, Gab is a rails app (apparently) - so they first have to completely ignore Rail's built in ORM, or query builders, since that will automatically sanitize your queries, and step down to doing raw SQL queries. Secondly, they also have to be okay with using string formatting in a query. That should ring about 100 alarm bells in the back of your head just glancing at it. Just use prepared statements if you have to step into SQL!
  
  Just looking at that screenshot instantly says "SQL injection".
  
  Even worse is that this is all documented very clearly by rails
  
  That this was also done by the CTO of the company is, uh, honestly maybe it makes more sense, since a more junior developer would probably, like, try to adhere to Rails convention and read documentation.
  
  In modern webapps (which Gab ostensibly is), SQL injections are rare now, because a) they're so infamous b) modern frameworks handle sanitization for you.
  
  It's one thing to, say, not check bounds on a buffer in C and woops, there goes another stack smashing exploit. It's true that that's extremely easy to miss (although modern code analysis has gone a long way into automatically detecting simple variants), and even the best of C code inevitably seems to have issues. But this is a different league.
  
  It's like if your "professional" valet is driving your manual car and switches to the reverse gear while at speed accidentally. That's how egregious it is.
  
  12 votes
  1. admicos
    March 3, 2021
    Link Parent
    Not just a Rails app, a fork of Mastodon, which is a Rails app that (as far as I'm aware) that uses ActiveRecords (??, not a Ruby dev I just heard it from somewhere else) and is still secure. They...
    
    For one, Gab is a rails app (apparently)
    
    Not just a Rails app, a fork of Mastodon, which is a Rails app that (as far as I'm aware) that uses ActiveRecords (??, not a Ruby dev I just heard it from somewhere else) and is still secure.
    
    They forked a secure app that followed best practices, and still made this happen.
    
    7 votes