How to get #1 trending on GitHub or ”GitHub’s security flaws”

See how I became the no. 1 trending developer on GitHub by creating an app that exploits the registration process.


A few days ago I stumbled upon Matthew Bryant’s article on how he got about 5000 followers on GitHub with a relatively simple PHP script, that exploits the most famous Git repository web-based hosting service’s registration.

Initial thoughts

After I finished reading the article, my very first thought was I should give this a try too and see if GitHub’s staff did anything about this registration exploit.

I headed directly to GitHub’s sign up page and see if the process was really that simple. And I was right. In order to register to GitHub, you only need to choose an username, a password and an email address. That’s all! Now, don’t get me wrong: in some cases simple is better, but the simplest human verification mechanism (e.g: Captcha code, an algebraic addition, some kind of human verification) would’ve made this way harder to exploit.

The process

I didn’t took me a long time to decide what programming language I should use for this ‘case-study’, as Iwas in love with Objective-C for a while. Now, I am sure there were many, better options than this one, but I wanted something simple as well as easy to use and develop. I also decided to give this project the name “Gitflaw” and develop it as a Mac Application.

The concept of this app I was going to develop was simple: I would enter the number of followers/stars I wanted, as well as the GitHub’s repo URL and the GitHub’s profile URL.

Firstly I needed to get some fake credentials to sign up. For this, I thought RandomUser.me would be an awesome choice.

I won’t get into development details now, as I want to keep this case-study understandable for the non-programmer reader. Basically I fetched a list of fake credentials, more exactly as many accounts as i entered in the specific field.

After you enter the repository URL (required) and the profile URL (optional), you just have to press the wide Start button and let the app do it’s magic.

What’s happening behind the scenes ?

The app is repeating the same process for each fake user account:

Go to sign up page > Enter fake credentials and advance > Browse to the repository URL and star it > (only if profile URL field is filled) Go to the profile URL and follow the user > Sign out of the fake account > Repeat

To achieve this, I heavily relied on Javascript functions injected in a hidden Web View, which actively sends info about it’s current process and display in a nice status label.

What happened ?

You may be wondering what happened next. I had to test my creation, so I created a new repo called YouAreAwesome. Because you really are!

I let the app run for a few minutes on this repo, just enough so I can become #1 trending developer on GitHub, so implicitly achieve the target of this case study.

It looked like the whole process (star the repo and follow the user) took about 8 seconds on average. If it doesn’t have to follow the user, it takes about 5.5 seconds for each fake user. So, in order to get 1000 stars and follows you will have to wait around 2 and half hours. Just image what could’ve happened if you let the app active over night.


Conclusion

As far i saw, most of the fake followers were removed (automatically I suppose). The stars of the repos are still there, but i really expect that the repo will be closed by GitHub’s staff due to the ridiculously amount of stars for a simple README file ☺.

P.S: I want to mention that this was purely a case study on GitHub’s registration process. Having fake stars on your repos and fake followers is useless and I don’t encourage that. I just want to bring this in GitHub’s security team attention. It’s not a big deal, but as i mentioned in the beginning of this article, a simple human verification mechanism would’ve made everything harder.

Update: Looks like Github finally did something about it and removed all the fake accounts and stars from the repo.

Depending on your interest I can open source the app for testing purposes only. You can DM me on Twitter at @Sebyddd if you want to have a talk about this story.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.