During the weekend, the word appeared that a hacker violated the far-right social media website Gab and downloaded 70 gigabytes of data by exploiting a garden-like security hole known as SQL injection. A quick review of Gab’s open source code shows that the critical vulnerability – or at least a very similar one – was introduced by the company’s CTO.
The change, which in software development parlance is known as “git commit,” was made in February from the account of Fosco Marotto, a former Facebook software engineer who in November became CTO of Gab. On Monday, Gab pulled the git commit from its website. Imagine on a site that provides saved validation snapshots shows the February software change.
The commit shows a software developer using the name Fosco Marotto introducing precisely the type of rookie error that could lead to the type of violation reported this weekend. Specifically, line 23 removes the code for “reject” and “filter”, which are API functions that implement a programming idiom which protects against SQL injection attacks.
This idiom allows programmers to compose an SQL query in a safe way that “cleans up” the entries that website visitors enter in search fields and other web fields to ensure that all malicious commands are removed before the text is transmitted to the main servers. In their place, the developer added a call to the Rails function that contains the “find_by_sql” method, which accepts uninfected input directly into a query string. Rails is a widely used website development toolkit.
“Sadly Rails documentation does not warn you about this trap, but if you know anything about using SQL databases in web applications, you would have heard of SQL injection, and it’s not hard to find warnings that the find_by_sql method is not secureWrote Dmitry Borodaenko, a former production engineer at Facebook who brought the commit to my attention in an email. “It is not 100% confirmed that this is the vulnerability that was used in Gab’s data breach, but it certainly could have been, and this code change is reversed in the most recent commit that was present in their GitLab repository before they took it offline. “
Ironically, Fosco in 2012 warned his fellow programmers to use parameterized queries to avoid SQL injection vulnerabilities. Marotto did not respond to an email requesting comment for this post. Attempts to contact Gab directly have failed.
Along with the commit raising questions about Gab’s process for developing secure code, the social media site is also facing criticism for removing commits from its website. Critics say the movement violates the terms of the Affero General Public License, which governs Gab’s reuse of Mastodon, a open source software package for hosting social media platforms.
Critics say the removal violates conditions that require the forked source code to be directly linked from the site. The requirements are intended to ensure transparency and allow other open source developers to benefit from the work of their peers at Gab.
Gab had long provided commitments to https://code.gab.com/. Then on Monday, the site suddenly deleted all commits, including those that created and then fixed the critical SQL injection vulnerability. In their stead, Gab provided the source code in the form of a Zip archive file that was password protected “JesusChristIsKingTrumpWonTheElection” (minus the quotes).
Representatives of Project Mastodon did not immediately respond to an email asking if they shared the critics’ concerns.
Apart from questions about secure coding and license compliance, Gab git’s commitments also seem to show that the company’s developers are struggling to fix their vulnerable code.
Gab’s security flaw and behind-the-scenes code management before and after the incident provide a case study for developers on how do not to maintain the security and transparency of a website’s code. The lesson is all the heavier since the submission used the account of Gab’s technical director, who, among everyone else, should have been better informed.
This story originally appeared on Ars Technica.
More WIRED stories