Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Wednesday September 02 2015, @02:47PM   Printer-friendly
from the largfe-bills-are-found-on-giant-ducks,-right? dept.

We had two different reports concerning a bug in a GitHub addon to Visual Studio which led to a developer's keys to their Amazon account getting compromised which resulted in a rather large bill.

GitHub's Visual Studio Add-on costs user $6,500

A developer published some of his code, as a paid GitHub subscriber, to a private storage space on GitHub's servers using a tool co-developed by Microsoft and GitHub. Due to a bug in the software, instead of going to their private storage space, it went to a public one, without the developer having any indication anything had gone wrong.

Included in this private code were the developer's keys to their Amazon cloud account. BitCoin miners, who scan GitHub for Amazon keys, found them and began using the developer's account to process BitCoins in the cloud. By the next morning the developer was receiving notifications of oddities on his account, and contacted Amazon support, by this time he had a $1,700 bill with Amazon. Within the next 2 hours, with various calls to Amazon for support, he finally contained the issue, with a nearly $6,500 bill.

https://www.humankode.com/security/how-a-bug-in-visual-studio-2015-exposed-my-source-code-on-github-and-cost-me-6500-in-a-few-hours

Bug in Visual Studio GitHub Commit Tool Leads to $6,500 Amazon Web Services Bill

A bug in the GitHub Extension for Visual Studio 2015 ultimately led a South African web developer to be charged $6,500 for Amazon Web Services instances used by criminals:

Carlo van Wyk of Cape Town–based Humankode said he used the GitHub Extension for Visual Studio 2015 to commit one of his local Git code repositories to a private repository on GitHub. Unfortunately, however – and unknown to van Wyk at the time – a bug in the extension caused his code to be committed to a public GitHub repository, rather than a private one as he intended.

The extension is developed and maintained by GitHub itself, although it was created with a little help from Microsoft. Van Wyk said in his blog post that both companies have since been in touch with him and the bug has been confirmed and patched. But that won't help mitigate the fallout of what happened after van Wyk committed his repo.

Within around ten minutes after publishing his code, he received a notification from Amazon Web Services telling him his account had been compromised. He had (somewhat foolishly) included an AWS access key in the code that he had committed to GitHub.

It's not entirely clear what happened next. Van Wyk said he immediately changed his AWS root password, revoked all of his access keys, and created new ones. Nonetheless, within hours the data thieves had managed to sign him up for AWS's Elastic Compute Cluster and fire off more than 20 instances in each EC2 region. By the time the dust cleared, his AWS account had racked up a bill of $6,484.99.

Such cases aren't new. Miscreants – probably Bitcoin miners, in most cases – have begun routinely trolling public GitHub repositories with bots that search for AWS keys. In van Wyk's case, however, he never expected his repo to be public in the first place.

[...] GitHub, on the other hand, has apologized for the error in its code, describing it as "inexcusable." GitHub team member Phil Haack added, "As for preventing this in the future, we are trying to take a comprehensive look at the conditions and systems that allowed this happen in the first place and how we can improve those systems to mitigate such issues in the future."


Original Submission #1Original Submission #2

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by Francis on Wednesday September 02 2015, @03:44PM

    by Francis (5544) on Wednesday September 02 2015, @03:44PM (#231305)

    Indeed and I'd be surprised if any of the people responsible would pay for the damages. From the looks of it, Amazon ought to be on the hook for the portion of the charges that happened after he reported it. It shouldn't take 2 hours of calls during which more charges are being racked up for the problem to be stopped. Amazon really ought to waive that portion of the bill. At bare minimum they ought to have locked the account until things were straightened out.

    Starting Score:    1  point
    Moderation   +2  
       Insightful=2, Total=2
    Extra 'Insightful' Modifier   0  

    Total Score:   3  
  • (Score: 3, Interesting) by VLM on Wednesday September 02 2015, @04:15PM

    by VLM (445) Subscriber Badge on Wednesday September 02 2015, @04:15PM (#231319)

    At bare minimum they ought to have locked the account until things were straightened out.

    Having worked at a telco, when you're dealing with tens to hundreds of dollars of long distance charges (yeah back in the old days) despite only having 8088 processors we were easily able to shoot first and ask questions later and we'd block accounts for that, or less.

    I guess when you're talking about thousands of dollars, its too much to ask a company to cut into their own salary by blocking obvious fraud.

    Something similar happened to my mom maybe a decade ago where commissioned salesdroids at a car dealership and savings+loan worked with some crooks in Texas to buy a car under her information and then disappear across the Mexican border. When you have a commission staring you in the face its hard to "notice" that the purchaser paperwork shows her as a white old woman near the Canadian border while the purchaser standing in front of you is a young spanish speaking brown skinned man. Nothing really bad happened to my mom, it was such obvious fraud everyone in the financial legal system laughed it off as they struck it from her record, but it did delay her new car purchase by a week or two. When there's no fraud or "problems" you can get a new car in like "a day" so it was quite a delay. Anyway in summary you can't ask commissioned salespeople to not pay themselves, no matter how obviously fraudulent an event is happening. At least not in the modern USA.

    • (Score: 1) by Francis on Wednesday September 02 2015, @04:26PM

      by Francis (5544) on Wednesday September 02 2015, @04:26PM (#231326)

      It's a matter of motivation. It's about time we prevented companies from disclaiming any liability due to their own incompetence. Granted software that's given away for free ought to get some sort of limit to liability, but there's too many commercial products out there where the limits on their responsibility is virtually nil.

      And I don't doubt that a telco can get things frozen almost immediately. It's beyond me how the likes of AT&T thought that it was acceptable to let people run up hundreds of thousands of dollars worth of debt when those iPhones came out and were constantly pinging back to the US.

      • (Score: 0) by Anonymous Coward on Wednesday September 02 2015, @04:31PM

        by Anonymous Coward on Wednesday September 02 2015, @04:31PM (#231330)

        Actually ALL software (and website) unless stated by law (and even then it questionable across boarders)... IT IS ALWAYS YOUR FUALT.

        • (Score: 1) by Francis on Wednesday September 02 2015, @04:33PM

          by Francis (5544) on Wednesday September 02 2015, @04:33PM (#231331)

          That's not true. If that were true, then it wouldn't have to be added to the EULAs and ToS of all those software packages. This isn't any different from any number of other products where the manufacturer is responsible for damages when they're device doesn't work as designed or does something that can't reasonably be predicted.

          • (Score: 0) by Anonymous Coward on Wednesday September 02 2015, @10:22PM

            by Anonymous Coward on Wednesday September 02 2015, @10:22PM (#231469)

            You got the clue x 4! It is why it is in every EULA!!!!

    • (Score: 2) by sjames on Wednesday September 02 2015, @09:50PM

      by sjames (2882) on Wednesday September 02 2015, @09:50PM (#231456) Journal

      At some point, those commissioned droids effectively become a party to the crime. It's time to start enforcing that.