Rookie coding mistake prior to Gab hack came from site’s CTO

Over the weekend, word emerged that a hacker breached far-right social media website Gab and downloaded 70 gigabytes of data by exploiting a garden-variety security flaw known as an SQL injection. A quick review of Gab's open source code shows that the critical vulnerability—or at least one very much like it—was introduced by the company's chief technology officer. Further Reading Trump's is one of 15,000 Gab accounts that just got hacked The change, which in the parlance of software development is known as a "git commit," was made sometime in February from the account of Fosco Marotto, a former Facebook software engineer who in November became Gab's CTO . On Monday, Gab removed the git commit from its website. Below is an image showing the February software change, as shown from a site that provides saved commit snapshots. The commit shows a software developer using the name Fosco Marotto introducing precisely the type of rookie mistake that could lead to the kind of breach reported this weekend. Specifically, line 23 strips the code of "reject" and "filter," which are API functions that implement a programming idiom that protects against SQL injection attacks. Developers: Sanitize user input This idiom allows programmers… Read full this story

Rookie coding mistake prior to Gab hack came from site’s CTO have 312 words, post on arstechnica.com at March 2, 2021. This is cached page on CuBird. If you want remove this page, please contact us.