Sign in / up

back to article Researcher found Homebrew GitHub token hidden in plain sight

The popular Homebrew macOS package installer has moved to plug a serious vulnerability – it accidentally left a GitHub token visible to the public. Luckily, a team member on paternity leave had a moment while their child napped to fix it. Homebrew does for macOS what apt-get does for Debian: it's a handy installer for stuff …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Pascal Monett Silver badge
    Trollface

    "If I can gain access to commit in 30 minutes, what could a nation state with dedicated resources achieve against a team of 17 volunteers?" Holmes asked."

    They could use you for training the newbies in their dedicated resource group.

    BTW, the NSA is mildly miffed that you spotted the issue.

    10 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      GitHub is owned by Microsoft, the NSA doesn't have to be miffed anymore.

      8 4 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Really?

        https://cnet4.cbsistatic.com/img/NHcBqATGvVDonz5w1FaYMI2EL1M=/970x0/2013/06/30/6e5c3747-fdb6-11e2-8c7c-d4ae52e62bcc/prism-slide-4.jpg

        Do you think they have now stopped?

        1 0 Reply
  2. JLV

    wow.

    Had that been exploited, that’s about as nasty as it gets for Macs using FOSS (macports may want to check their stuff too).

    Unintuitively, this is why I really don’t trust installing stuff from people’s random git/binaries/make self-hosted servers, source code or not: securing code delivery infrastructure is hard and a big target. If Homebrew, in that biz for years, can get it wrong, using normalized infrastructure, how likely are 100s of individual devs’ sites to be always right in their configs?

    2 0 Reply
    1. herman
      Reply Icon

      Re: wow.

      ...and how likely is it that hundreds of individual devs will be targeted and compromised by the NSA/GCHQ/FSB...?

      1 1 Reply
  3. ThomH

    It's not that popular

    Especially not with me. By default it changes ownership of /usr/local/bin to your login user. So anything you run from then onwards can install a shim to usurp any binary that ordinarily lives in /usr/bin. Such as sudo.

    How often do you inspect which application named sudo is asking you for your administrative password?

    5 0 Reply
    1. JLV
      Reply Icon

      Re: It's not that popular

      Ah, good catch on /usr/local/bin ownership. My primary is macports (/opt/local/bin, owner's still root).

      But once I had to install a Microsoft odbc package that only came with homebrew (and even then managed to have a really wonky install script), so now I am stuck with both (yes, that works). I guess next time I will be a bit more cautious before using homebrew. Txs, MS.

      I think most of the times when developer blogs recommend a package installation procedure, they tend to suggest homebrew rather than macports, so I think it actually is more popular than macports. Debate about the pros and cons of both tend to remind me of editor wars, unlike your more valid criticism.

      5 0 Reply
    2. fajensen
      Reply Icon

      Re: It's not that popular

      I learned the lesson already with OS-2 Warp: "Porting totally and always and forever sucks. Use the native OS instead if you really need a package."

      This used to be hard, we used to have dedicated Linux servers and those really twitchy Windows X-Servers with wonky fonts to run Linux programs on the corp-rat desktop. Today virtualisation makes it super easy.

      With VM-Ware today one kan keep Linux in the background and run Linux programs on Linux, as the gods intended, by using "Unity" view. Cut & Paste works too. Drag & Drop files also.

      Keeping the mac clean of Linux / FOSS build-dependencies, "random" libs and other garbage, all that being wrapped up safely inside the VM. That makes the IT support people so much more tolerant of us deviants running FOSS on their macs. Also keeps the mac running.

      2 0 Reply
      1. JLV
        Reply Icon

        Re: It's not that popular

        ? porting / Linux on OS/2 ?

        AFAIK macports is pretty damn native and so is whatever it installs. it’s name refers to ‘ports’, the utility on BSD that is tasked with installling packages, again very natively.

        there is _nothing_ Linux-y about it, except that a package, say postgres’s, source code will be mostly the same as what it uses on Linux. most of these things have no GUI/X-Windows component whatsoever, so not a consideration either.

        this is like telling someone never to use apt-get, yum or rpm on Linux. sure, if apt-get or the installed package is pwned, so are you, but that’s to be expected.

        used at this level and on the terminal, a Mac is pretty much just like a Linux distribution, including access to a vast array of server/programmer/utility packages. only GUI stuff changes, but really there isn't much of that either - your code editor and browser likely is the same as the one you'd use on Linux.

        0 0 Reply
        1. JLV
          Reply Icon

          Re: It's not that popular

          oh, and I forgot:

          huge respect to the homebrew team for being so transparent.

          0 0 Reply
        2. fajensen
          Reply Icon
          Pint

          Re: It's not that popular

          ? porting / Linux on OS/2 ?

          Slackware Linux tar.gz packages, as everyone knows there was no software for OS/2 Warp except C/C++ compilers and REXX ...

          this is like telling someone never to use apt-get, yum or rpm on Linux. sure, if apt-get or the installed package is pwned, so are you, but that’s to be expected.

          No, In My Opinion, it is like telling someone not to use Slackware "tar.gz" packages and "Make-Install" on a Debian system (or installing site-wide Python packages with "pip install" on any system) because the odds are that at some point ones digital knickers will end up in a twist and then one has to fix it. Somehow.

          Mac's are almost FreeBSD but not quite.

          0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like