How I gained commit access to Homebrew in 30 minutes


67 bookmarks. First posted by briantrice august 2018.


This issue was publicly disclosed on the Homebrew blog at https://ift.tt/2AJpJbA Since the recent NPM , RubyGems , and Gentoo…
12 weeks ago by slempke
How I gained commit access to Homebrew in 30 minutes

oosp  from twitter
august 2018 by mkb
It is surprisingly easy to attack packagers as a way of delivering a malicious payload to machines quite broadly.
security  via:reddit 
august 2018 by mcherm
RT : How I gained commit access to the Homebrew project in 30 minutes:
from twitter_favs
august 2018 by gwpl
package managers, and credential leaks, are a weak point in the security of the internet, and that supply chain attacks are a real and persistent threat
security 
august 2018 by zephyr777
How I gained commit access to the Homebrew project in 30 minutes:
august 2018 by fabianmoronzirfas
This issue was publicly disclosed on the Homebrew blog at https://brew.sh/2018/08/05/security-incident-disclosure/ Since the recent NPM , RubyGems , and Gentoo…
from instapaper
august 2018 by spinnerin
Wow: How I gained commit access to Homebrew in 30 minutes
from twitter
august 2018 by jamescampbell
Since the recent NPM, RubyGems, and Gentoo incidents, I’ve become increasingly interested, and concerned, with the potential for package managers to be used in supply chain attacks to distribute…
security  github  homebrew 
august 2018 by zchi
If I were a malicious actor, I could have made a small, likely unnoticed change to the openssl formulae, placing a backdoor on any machine that installed it.

If I can gain access to commit in 30 minutes, what could a nation state with dedicated resources achieve against a team of 17 volunteers? How many private company networks could be accessed? How many of these could be used to escalate to large scale data breaches? What other package management systems have similar weaknesses?

This is my growing concern, and it’s been proven time and time again that package managers, and credential leaks, are a weak point in the security of the internet, and that supply chain attacks are a real and persistent threat. This is not a weakness in Homebrew, but rather a systemic problem in the industry, and one where we need more security research.
homebrew  github  security  jenkins  credentials  scary 
august 2018 by jm
On Jun 31st, I went in with the intention of seeing if I could gain access to Homebrew’s GitHub repositories. About 30 minutes later, I made my first commit to Homebrew/homebrew-core.
homebrew  github  security 
august 2018 by ssorc
via Pocket - How I gained commit access to Homebrew in 30 minutes - Added August 07, 2018 at 11:06AM
august 2018 by mikele
If I were a malicious actor, I could have made a small, likely unnoticed change to the openssl formulae, placing a backdoor on any machine that installed it. If I can gain access to commit in 30 minutes, what could a nation state with dedicated resources achieve against a team of 17 volunteers? How many private company networks could be accessed? How many of these could be used to escalate to large scale data breaches? What other package management systems have similar weaknesses?
august 2018 by mvuijlst
RT : How I gained commit access to the Homebrew project in 30 minutes:
from twitter_favs
august 2018 by wlejon
How I gained commit access to Homebrew in 30 minutes
from twitter
august 2018 by nicola
How I gained commit access to Homebrew in 30 minutes
from twitter
august 2018 by RBaumier
RT : Next up in underfunded critical infrastructure: package managers.
from twitter
august 2018 by mpasternacki
This issue was publicly disclosed on the Homebrew blog at https://ift.tt/2AJpJbA
s 
august 2018 by igorette
RT : Next up in underfunded critical infrastructure: package managers.
from twitter
august 2018 by becked
“This is my growing concern, and it’s been proven time and time again that package managers, and credential leaks, are a weak point in the security of the internet, and that supply chain attacks are a real and persistent threat. This is not a weakness in Homebrew, but rather a systemic problem in the industry, and one where we need more security research.”
security 
august 2018 by kevinrood
Since the recent NPM, RubyGems, and Gentoo incidents, I’ve become increasingly interested, and concerned, with the potential for package managers to be used in supply chain attacks to distribute malicious software. via Pocket
IFTTT  Pocket 
august 2018 by regisd
Since the recent NPM, RubyGems, and Gentoo incidents, I’ve become increasingly interested, and concerned, with the potential for package managers to be used in supply chain attacks to distribute…
security  homebrew  breach  credentials  token  github  jenkins 
august 2018 by floehopper
Mismanaged GitHub credentials
homebrew  security  badtech 
august 2018 by nelson
Next up in underfunded critical infrastructure: package managers.
from twitter_favs
august 2018 by e30chris
Next up in underfunded critical infrastructure: package managers.
from twitter
august 2018 by FiloSottile
How I gained commit access to the Homebrew project in 30 minutes:
from twitter_favs
august 2018 by NeoNacho
How I gained commit access to the Homebrew project in 30 minutes:
from twitter_favs
august 2018 by ekingery
How I gained commit access to the Homebrew project in 30 minutes:
from twitter_favs
august 2018 by adamamyl
How I gained commit access to the Homebrew project in 30 minutes:
from twitter_favs
august 2018 by danyoung
How I gained commit access to the Homebrew project in 30 minutes:
from twitter_favs
august 2018 by briantrice