Github censored malware research data
Update Oct 15: Gitlab also removed my data, but later admitted that it had misinterpreted it, and it was quickly reinstated. See discussion on Hacker News and Gitlab statement.
Surprised that @github just censored my list of compromised stores, without notice. I am off to Gitlab. https://t.co/0f4ReXaOqR— gwillem (@gwillem) October 14, 2016
Hey, you know what will fix the problem of malware on stores? Suppressing stories about malware on stores. https://t.co/HnVaZbAhWg— Troy Hunt (@troyhunt) October 15, 2016
GitLab reinstates @gwillem's list of infected online stores. https://t.co/mnm4NWTqaB— Mikko Hypponen (@mikko) October 15, 2016
We learned that not all disclosures that don't notify the owner are irresposible, thanks @gwillem https://t.co/afXFhfYuJJ /cc @Hacker0x01— GitLab (@gitlab) October 15, 2016
This incident was really well handled by @gitlab all around pic.twitter.com/AvqoMmIWCp— The Practical Dev (@ThePracticalDev) October 16, 2016
After publishing a list of compromised online stores, I was contacted by several persons who claimed their site had not been compromised (while in fact they were, as archive.org provides solid proof) and threatened to sue me.
Then last night, Github removed my research results, without sending me a notice.
First, some facts:
- Data came from public sources such as builtwith.com, DNS zones and site frontpages.
- The list I published at Oct 11th, was accurate as of Oct 10th.
- I have published an updated list as of Oct 12th (also taken offline by Github) that showed that 332 shops had in fact fixed their site since my publication. It also showed that 170 new shops had been compromised.
- I wrote about this in 2015. The problem is not solved today, in fact it has nearly doubled.
- I have told and stressed to any journalist that the problem is not with a particular type of store software, but due to sloppy maintenance.
- I have contacted about 30 merchants directly. I got either no response, or “thanks but we are safe” even though I pointed out the specific malware code on their frontpage.
- I have, prior to publication, submitted all URLs and malware samples to Google’s Safe Browsing team. They have since only acted upon a small portion of the sites.
I understand that Github doesn’t have the resources to investigate each and every DMCA notice. However, it still took me by surprise that Github censors data so easily.
So I am happy to have moved my data to Gitlab (co-founded by an amazing Dutch guy) today.
Here is an up to date list of compromised stores, which was established 40 minutes ago (Oct 14th).
I understand that if you are a merchant, it is not a pleasure to be on that list. I absolutely agree that publishing a list of compromised stores is a tough measure. However, I think this is better than letting the problem fester (as it has been since 2015). If you have cleaned your store, send me an email (preferably with a Magereport screenshot) and I’d be happy to remove you.
So far, between Oct 10 and Oct 14, 631 stores have been fixed. Great work everybody!