ctx project takeover#31
Merged
Merged
Conversation
dstufft
approved these changes
May 24, 2022
di
reviewed
May 24, 2022
Comment on lines
+172
to
+173
| We also advise PyPI users to enable multi factor authentication on their PyPI | ||
| accounts following the references at https://pypi.org/help/#twofa |
Contributor
There was a problem hiding this comment.
Suggested change
| We also advise PyPI users to enable multi factor authentication on their PyPI | |
| accounts following the references at https://pypi.org/help/#twofa | |
| We also advise all PyPI users, but especially project maintainers, to enable | |
| multi factor authentication on their PyPI accounts following the references at | |
| https://pypi.org/help/#twofa |
|
|
||
| Between 2022-05-14T19:18:36Z and 2022-05-24T10:07:17Z the following release | ||
| below files were hosted by PyPI at various times containing this malicious | ||
| payload |
Contributor
There was a problem hiding this comment.
Suggested change
| payload | |
| payload. |
|
|
||
| If you installed the package between May 14, 2022 and May 24, 2022, and your | ||
| environment variables contain sensitive data like passwords and API keys (like | ||
| AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY), we advise you rotate your |
Contributor
There was a problem hiding this comment.
Suggested change
| AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY), we advise you rotate your | |
| ``AWS_ACCESS_KEY_ID`` and ``AWS_SECRET_ACCESS_KEY``), we advise you rotate your |
|
|
||
| The ``ctx`` hosted project on PyPI was taken over via user account compromise | ||
| and replaced with a malicious project which contained runtime code which | ||
| collected the content of ``os.environ.items()``` when instantiating ``Ctx`` |
Contributor
There was a problem hiding this comment.
Suggested change
| collected the content of ``os.environ.items()``` when instantiating ``Ctx`` | |
| collected the content of ``os.environ.items()`` when instantiating ``Ctx`` |
| * Freeze the compromised user account of the owner | ||
|
|
||
| The activity log of the user, action log on the project, metadata for all | ||
| historical uploads---including malicious---, archives of the files, and their |
Contributor
There was a problem hiding this comment.
Suggested change
| historical uploads---including malicious---, archives of the files, and their | |
| historical uploads (including malicious), archives of the files, and their |
| The ``ctx`` project was registered and uploaded to PyPI in 2014. According to | ||
| Libraries.io, the project on PyPI that declares it as a dependency is | ||
| ``context-engine``. No known repositories that Libraries.io analyzes declares | ||
| ``ctx`` as a dependency. |
Contributor
There was a problem hiding this comment.
https://deps.dev/pypi/ctx/0.1.2/dependents confirms this as well.
| publicly visible email addresses associated with project metadata containing | ||
| expired domains, which happened to match the domains of owner user accounts for | ||
| projects. | ||
|
|
Contributor
There was a problem hiding this comment.
Suggested change
| Currently, PyPI has some protections in place for expired email domains: if | |
| PyPI sends an email to a user's email address, and that email bounces, PyPI | |
| will disable the verified status of that email. As password resets require | |
| verified email addresses, an attacker would be unable to use the expired domain | |
| to gain access to the account. However, this depends on PyPI sending an email | |
| to the expired domain in the time period between expiry and an attacker | |
| attempting a takeover. | |
|
|
||
| We also advise PyPI users to enable multi factor authentication on their PyPI | ||
| accounts following the references at https://pypi.org/help/#twofa | ||
|
|
Contributor
There was a problem hiding this comment.
Suggested change
| Additionally, version-pinning and using `hash checking mode | |
| <https://pip.pypa.io/en/stable/topics/secure-installs/#hash-checking-mode`_ | |
| would prevent this attack, which depends on users automatically upgrading to | |
| the latest available version at install-time. | |
di
added a commit
to di/python-security
that referenced
this pull request
May 24, 2022
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.