Comment by londons_explore

2 years ago

This isn't a bug IMO.

If you know the hash of some data, then you either already have the data yourself, or you learned the hash from someone who had the data.

If you already have the data, there is no vulnerability - since you cannot learn anything you don't already have.

If you got the hash from someone, you could likewise have gotten the data from them.

People do need to be aware that 'some random hex string' in fact is the irrevocable key to all the data behind that hash - but that's kinda inherent to gits design. Just like I don't tell everyone here on HN my login password - the password itself isn't sensitive, but both of us know it accesses other things that are.

If github itself was leaking the hash of deleted data, or my plaintext password, then that would be a vulnerability.

9 comments

londons_explore

Reply
qual  2 years ago

>If you know the hash of some data, then you either already have the data yourself, or you learned the hash from someone who had the data.

From the article, you do not need to have the data nor learn the hash from someone who had the data.

>Commit hashes can be brute forced through GitHub’s UI, particularly because the git protocol permits the use of short SHA-1 values when referencing a commit. A short SHA-1 value is the minimum number of characters required to avoid a collision with another commit hash, with an absolute minimum of 4. The keyspace of all 4 character SHA-1 values is 65,536

  • londons_explore  2 years ago

    In which case, yeah, thats a vulnerability. They shouldn't allow a short hash to match up against anything but public data.

    • gus_massa  2 years ago

      It's common to use short hash in pull request, and then modify or rebase the commits.

      The solutions are:

      * Force people to use the full hash.

      * Get use to a lot of dead links.

      * Claim that it's a feature, not a bug.

      2 replies →

haneul  2 years ago

> If you know the hash of some data, then you either already have the data yourself, or you learned the hash from someone who had the data.

Don’t think so - the article mentions you can use the short prefix on GitHub, so you have a search space of 65536.

Aurornis  2 years ago

> If you know the hash of some data, then you either already have the data yourself, or you learned the hash from someone who had the data.

You need to read to the end of the article where they show the brute-force way of getting the hashes.

jkaptur  2 years ago

That's counterintuitive, though - often, the whole point of a hash is that it's one-way.