Comment by molecule
13 years ago
Egor Homakov's write up of the session fixation and CSRF vulnerabilities that this addresses:
http://homakov.blogspot.com/2013/03/hacking-github-with-webk...
13 years ago
Egor Homakov's write up of the session fixation and CSRF vulnerabilities that this addresses:
http://homakov.blogspot.com/2013/03/hacking-github-with-webk...
I think he deserves being mentioned in the github's post.
Heh, at least he didn't get his account banned prematurely.
It's already been said, but as much headaches as Egor's proof-of-concepts gave headaches to Github's staff, they've really helped educate the general dev public (well, me at least) about security-mindedness. Github's security explanatory notes in the OP are helpful, but Egor's demo really made the issues memorable.
Egor's posts have also helped GitHub improve their security, to the extent that they're willing to listen.
I told a couple of people at GitHub that they should add a way to select which email addresses can be used for password reset. Both agreed it was a good idea, but there hasn't been any action.
If you want commits to be linked to your GitHub account, you have to add the email to your account settings page. If you add the email to your account settings page, it can be used to reset the password and gain access to the account.
Also people keep begging for Two-Factor auth, and I'll echo that. https://twitter.com/kaepora/status/307938914667220992