Dev News: NFT of GitHub Exploit, Netlify’s AI Deploy, and More

GitNFT, to its surprise, discovered an exploit in GitHub that allowed users to replace Linus Torvalds as the author of his first commit, titled Initial revision of “git,” the information manager from hell.

GitNFT is, as the name suggests, a platform that allows open source software creators to create NFTs of their commits on GitHub and sell them in the OpenSea marketplace as art.

But a developer named @nbanmp discovered a flaw in GitHub’s method of assigning an author to the git, and minted a GitNFT from it listing @nbanmp as the author of the Torvald repository. The developer notified GitNFT, which at first thought it was a joke — but no. They were able to replicate the exploit with @VanTubor making himself the creator of the git.

@VanTubor made himself the creator of a Linus Torvalds repo.

“By design, GitNFT will only let you mint NFTs of the commits you have authored (or co-authored),” the GitNFT team wrote. “The GitHub identity of the author is verified through OAuth, while the authorship is validated by examining the commit response in the GitHub’s REST API.”

The exploit is possible because GitHub’s method of populating the author field is “bogus,” the team wrote.

“GitHub allows users to add email addresses to their account, but does not require the user to verify the email address,” the GitNFT wrote. “When the commits have a null author field (which is the case for the commits of popular repositories that pre-date the octocat), GitHub will populate the author with the data of the latest account to have added that email address, regardless of whether the account is verified or not!”

The team submitted a report to GitHub through HackerRank but noted that it was marked as closed within a couple of minutes.

What happened to the NFT @nbanmp created? It still exists.

“Certainly, our collection is now scarred by @nbanmp’s weird NFT,” they wrote. “However, we see this imperfection as an enrichment to our collection because it immortalizes the discovery of this exploit, and hopefully helps incentivize its resolution.”

GitHub did not respond to a request for comment as of press time.

Netlify Launches AI-Enabled Deploy Assist

Web development platform Netlify introduced AI-enabled deploy assist Thursday as a generally available tool. It leverages AI to analyze failed deployments and provide suggestions to correct errors.

“As a result, developers significantly reduce their time spent manually reviewing logs, leading to increased productivity, faster and more predictable go-to-market workflows, and a more satisfying developer experience,” the company stated in a prepared release.

The AI deploy assist debugs failed builds and suggests fixes for an easier developer experience. It also assists developers with quality feedback on failed builds to enable rapid code fixes. That keeps failed builds from becoming bottlenecks, Netlify added.

Daytona Goes Open Source

Daytona, a development environment manager, has open sourced its codebase under the Apache 2.0 license. That provides developers with “unlimited freedom to modify and use Daytona as you see fit,” said Daytona co-founder and CEO Ivan Brazen.

“By opening up Daytona’s codebase, we’re inviting developers to co-create the future of development environments with us,” Burazin said. “The tools that shape our digital world will no longer be confined behind proprietary walls. Instead, they will be shaped by the people who use them, in full view of the community that needs them.”

Daytona calls itself a Codespaces alternative for managing self-hosted, secure and standardized development environments. It automates the entire process of setting up a dev environment including:

• Provisioning the instance;
• Interpreting and applying the configuration;
• Setting up prebuilds;
• Establishing a secure VPN connection;
• Securely connecting a local or a Web IDE; and
• Assigning a fully qualified domain name to the development environment to support sharing and collaboration.

Barracuda: Attacks on Web Applications, APIs Increased

Barracuda mitigated more than 18 billion attacks against applications during 2023, including 1.716 billion in December alone, according to the IT security firm. Overall, attacks on web applications and APIs have increased dramatically, the company stated.

There are a two reasons why web application attacks are on the rise, according to the company:

1. Many web applications have vulnerabilities or configuration errors: Barracuda’s research found 30% of all attacks against web applications target security misconfigurations, such as coding and implementation errors.
2. Web applications contain personal and financial data, which is lucrative data for an attacker.

They are also a prime target for cyberattacks. According to the latest Verizon Data Breach Investigations Report, web applications were the top action vector in 2023, used in 80% of incidents and 60% of breaches.

“Barracuda research shows that 40% of IT professionals who’ve been involved in ethical hacking believe web application attacks are among the most lucrative for cyber-attackers, and 55% say the same for APIs,” the firm noted in its write-up about the trend.

Among the more popular attacks are code injections, Log4Shell and LDAP injection attacks. Barracuda’s anti-botnet detection data also revealed that 53% of bot attacks targeting web applications in December were volumetric distributed denial of service (DDoS) attacks.

Loraine Lawson is a veteran technology reporter who has covered technology issues from data integration to security for 25 years. Before joining The New Stack, she served as the editor of the banking technology site Bank Automation News. She has…

Read more from Loraine Lawson