Your “just” considered harmful
Update: This is what our official response and mitigation strategy looks like Greenkeeper Verify
Last Friday I came home from a very nice evening out with friends. It was a bit earlier than usual, because I was about to go on a weekend trip to Hamburg with my partner the next morning at 7am.
I know I probably shouldn’t be doing this but I had one last look at my Twitter client, just to check if something important happened in my absence. And indeed, there was a suspicious tweet.
Greenkeeper is a service I’m running together with my friends at The Neighbourhoodie. It works by sending pull requests to keep npm dependencies up to date. But the pull request in the tweet above didn’t look right, because the actual diff was total nonsense — there was no way it was coming from us. Was this screenshot just a weird way the Karma project was expressing their appreciation for the service? Not really — quickly I realized that someone created a GitHub account called “greenkeeperlo-bot”, which is the spitting image of our account “greenkeeperio-bot”, to send out spammy pull requests in our name. They had copied our avatar, pull request bodies, our commit message and branch naming pattern. The commits itself were faked by signing them of using our bot’s email address — a well known problem in how GitHub works.
Looking at the fake profile I could quickly see that they had sent out pull requests to some of the most popular projects using our service. To make things worse: one of the pull request was already merged. They trusted the typical Greenkeeper look and feel, without even skimming the diff. At this point I didn’t have the slightest clue who was performing this attack and if they had any further and more serious steps in mind. I gave my best to protect our users and to control the damage. I left a comment on every single one of the fake pull requests, I sent out tweets to warn people, and I wrote a lengthy abuse report to GitHub support, so they could take care of the situation from their side.
Most of the maintainers responded quickly and closed the pull requests, others in my team were aware of the situation, and the warning on Twitter was spreading a bit. I was sitting on the fence for a little longer and let my agitation die down. By 2am I finally fell asleep.
The next morning I got up at 7am, totally wasted and sleep-deprived. I’m living in a long-distance relationship and so I was looking forward to having a great time quite a bit — instead I felt like shit. At least we caught our train to Hamburg and so I was hoping to catch up on some sleep during the ride when the bot began to reply to the closed pull requests. It was getting interesting: the claim of responsibility.
I think people would not see greenkeeper’s pr detail, but just click merge. this behavior is unsafe, greenkeeper should solve this.
And indeed the attack revealed a very interesting attack vector, that is very hard to fix. In another thread they demanded answers.
I got some questions for you:
1. If I dont send this pr: greenkeeperio/greenkeeper#155 , how long would you find me?
2. Even a excelent developer like [redacted] merged my pr, how many percentage of developers would merge my fake pr?
3. supposing I am a evil bot, and inject some evil npm after_install in the projects?
The maintainer of the project rightfully asked them to raise these questions in our repository, but this hasn’t happened up to this day. I’ll try to answer them here now.
Regarding 1: The referenced pull request was another attack sent to our own repository. As described above I got aware of the situation via the tweet of a Karma maintainer.
Regarding 2: I don’t know. Too many probably.
Regarding 3: I don’t understand the question, but yes using social engineering and phishing techniques to make people merge malicious code into their project is dangerous.
Here is another thing the attacker wrote in their comments.
I’m human being…just a safety test
Alright, let’s savor this slowly. “just a safety test.” “I’m [a] human being.”
You performed an actual attack to several large open source repositories, abusing our identity and the trust in that identity.
Without talking to us before.
During our Friday night.
During a workday in US-West.
Right before the weekend, so no support team can respond in time.
You might be a human being, but your “security research” is unprofessional and harmful. This might have been “just” a test for the security hole you saw, but this was a serious attack on my personal well being and mental health. I’m not saying that you did this on purpose, but entitled and utterly disrespectful behavior like yours is just as bad. This makes me burn out. It makes we want to throw in the towel and leave a community that I love.
Greenkeeper is not a multi-million dollar business, we’re not lying on our yachts not giving a fuck about our users. We’re trying to make the JavaScript ecosystem a better place and we’re expending a lot of effort to get things right. You however did not make anything safer. You stole precious energy and time of my life, by ignoring every single principle of security research. I could have used this time to actually work on the problem, to build new features, or, as I had planned, to recharge my batteries.
A few years ago I found a security hole about potentially leaking, sensitive, personal data in a reward program and before trying to contact the company I told another person about it. Instead of understanding the confidential nature of this matter, what I had expected from them, they called the press about it, citing my full name. After this I faced criminal prosecution for fraud, hacking and invoking/approving crimes. Obviously I was extremely mad at them, but now I accept that this was my very own fault. Dealing with security issues requires a tremendous amount of care and sensitivity.
I don’t want anything like this to happen to you, but I demand that you act according to the fact that everyone else is also a human being worthy of your respect. Think of how your actions might affect other people’s lives. If we as the members of the web community can’t manage to get this basic prerequisite for respectful human interaction right, especially on the internet, then maybe we shouldn’t be building the software for it.
The Monday after GitHub deleted the “greenkeeperlo-bot” account and all pull requests created by it. We still don’t know who the person was that performed the attack, nor did they directly contact us at all.
I wasn’t sure about writing this at first, but there are two reasons, why I decided on doing it.
- The reactions to the npm #unpublishgate showed me once more just how far spread entitled and toxic behavior is in our community. This has to change and being silent or accepting won’t help.
- Brave and open tweets of a person I highly respect and admire reminded me that after reading this [TW: suicide] I promised myself to no longer shy away from talking about mental health issues, no matter how much I tell myself how trivial they are.
