Skip to content

Add edits from review of #31 #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ewdurbin merged 1 commit into from
May 24, 2022
Merged

Add edits from review of #31 #32

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 22 additions & 7 deletions pypi-vuln/index-2022-05-24-ctx-domain-takeover.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,17 +7,17 @@ Summary

The ``ctx`` hosted project on PyPI was taken over via user account compromise
and replaced with a malicious project which contained runtime code which
collected the content of ``os.environ.items()``` when instantiating ``Ctx``
collected the content of ``os.environ.items()`` when instantiating ``Ctx``
objects. The captured environment variables were sent as a base64 encoded query
parameter to a heroku application running at ``https://anti-theft-web.herokuapp.com``.

Between 2022-05-14T19:18:36Z and 2022-05-24T10:07:17Z the following release
below files were hosted by PyPI at various times containing this malicious
payload
payload.

If you installed the package between May 14, 2022 and May 24, 2022, and your
environment variables contain sensitive data like passwords and API keys (like
AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY), we advise you rotate your
``AWS_ACCESS_KEY_ID`` and ``AWS_SECRET_ACCESS_KEY``), we advise you rotate your
passwords and keys, then perform an audit to determine if they were exploited.

+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------+------------------------------------------------------------------+
Expand Down Expand Up @@ -109,7 +109,7 @@ administrator used existing tools to:
* Freeze the compromised user account of the owner

The activity log of the user, action log on the project, metadata for all
historical uploads---including malicious---, archives of the files, and their
historical uploads (including malicious), archives of the files, and their
locations in object storage were backed up for further analysis.

WHOIS records were then queried to confirm that the domain associated with the
Expand All @@ -133,7 +133,8 @@ Impact Assessment
The ``ctx`` project was registered and uploaded to PyPI in 2014. According to
Libraries.io, the project on PyPI that declares it as a dependency is
``context-engine``. No known repositories that Libraries.io analyzes declares
``ctx`` as a dependency.
``ctx`` as a dependency. This is additionally confirmed by
https://deps.dev/pypi/ctx/0.1.2/dependents.

Before the malicious releases were uploaded, ``ctx`` saw on average 1600
downloads per day. After malicious releases were uploaded, downloads rose to a
Expand Down Expand Up @@ -161,6 +162,14 @@ publicly visible email addresses associated with project metadata containing
expired domains, which happened to match the domains of owner user accounts for
projects.

Currently, PyPI has some protections in place for expired email domains: if
PyPI sends an email to a user's email address, and that email bounces, PyPI
will disable the verified status of that email. As password resets require
verified email addresses, an attacker would be unable to use the expired domain
to gain access to the account. However, this depends on PyPI sending an email
to the expired domain in the time period between expiry and an attacker
attempting a takeover.

Performing this analysis on an ongoing basis and freezing accounts with expired
or near expiration domains is a potential mitigation that could protect absent
maintainers in the future, at the cost of increased support burden on the team
Expand All @@ -169,8 +178,14 @@ of PyPI moderators and admins.
Further Reccomendations
=======================

We also advise PyPI users to enable multi factor authentication on their PyPI
accounts following the references at https://pypi.org/help/#twofa
We also advise all PyPI users, but especially project maintainers, to enable
multi factor authentication on their PyPI accounts following the references at
https://pypi.org/help/#twofa.

Additionally, version-pinning and using `hash checking mode
<https://pip.pypa.io/en/stable/topics/secure-installs/#hash-checking-mode`_
would prevent this attack, which depends on users automatically upgrading to
the latest available version at install-time.

The safety and pip-audit projects can be used to check for known
vulnerabilities in your dependencies:
Expand Down