Hacker News new | past | comments | ask | show | jobs | submit login

The way he was able to add his key was via a web-based exploit, which effectively gave him administrative web access. So yes, the list is correct.



I thought that he added his public key to the Rails user through his own account settings, which wouldn't give him access to the Rails web admin.


This is correct. People who don't understand what a mass-assignment bug is are running with this story. It's like when we witness a DDoS and have to tollerate people who think it means that the targeted party was infiltrated.

This bug allowed one to add their public key to another user's account, and make changes to comments and issues.


What are the odds that there's a similar bug which allows changes to user accounts? If that's the case, then altering the password or email address is trivial.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: