GitHub fixes authorisation vulnerability in the NPM JavaScript package registry

Flaw allowed 'an attacker to publish new versions of any npm package'


GitHub said it has fixed a longstanding issue with the NPM (Node Package Manager) JavaScript registry that would allow an attacker to update any package without proper authorisation.

Chief security officer Mike Hanley posted yesterday about the issue, which was reported by security researchers Kajetan Grzybowski and Maciej Piechota on 2 November and patched within six hours. That impressive speed contrasts with the length of time the vulnerability existed, said to be longer than "the timeframe for which we have available telemetry, which goes back to September 2020."

The vulnerability was based on a familiar insecurity pattern, where the system correctly authenticates a user but then allows access beyond what that user's permissions should enable. In this case, the NPM service correctly validated that a user was authorised to update a package, but "the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file.

"This discrepancy provided an avenue by which requests to publish new versions of a package would be authorized for one package but would actually be performed for a different, and potentially unauthorized, package."

NPM is an essential resource for millions of developers; for example, one of the most popular packages is lodash, a JavaScript utility library that is downloaded around seven million times a day. The consequences of a malicious version of such a package would be severe, which is why Hanley added that "we can say with high confidence that this vulnerability has not been exploited maliciously" at least since September 2020.

Hanley also revealed that the names of some privately published packages, which should not be listed on the public registry, were inadvertently exposed via a public NPM replica, for about a week. The content of the packages were not accessible, though, and this was fixed on 29 October.

GitHub is planning to tighten the security of the NPM registry by requiring two-factor authentication (2FA) for maintainers and admins of the most popular packages, starting in the first quarter of 2022. 2FA is already possible but not required. The 2FA technology used will be WebAuthn. Details of how this will work will be published "in the coming weeks," Hanley said.

The goal is to prevent account takeovers, such as last month's incident involving ua-parser-js. At the time GitHub warned: "Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer."

The NPM community has also discussed strengthening security via code signing. It is already possible to verify the PGP (Pretty Good Privacy) signature of an NPM package but this only guarantees that the package downloaded matches what was published, and would not help in the case where a package is published but without proper authorisation. ®


Other stories you might like

  • GPL legal battle: Vizio told by judge it will have to answer breach-of-contract claims
    Fine-print crucially deemed contractual agreement as well as copyright license in smartTV source-code case

    The Software Freedom Conservancy (SFC) has won a significant legal victory in its ongoing effort to force Vizio to publish the source code of its SmartCast TV software, which is said to contain GPLv2 and LGPLv2.1 copyleft-licensed components.

    SFC sued Vizio, claiming it was in breach of contract by failing to obey the terms of the GPLv2 and LGPLv2.1 licenses that require source code to be made public when certain conditions are met, and sought declaratory relief on behalf of Vizio TV owners. SFC wanted its breach-of-contract arguments to be heard by the Orange County Superior Court in California, though Vizio kicked the matter up to the district court level in central California where it hoped to avoid the contract issue and defend its corner using just federal copyright law.

    On Friday, Federal District Judge Josephine Staton sided with SFC and granted its motion to send its lawsuit back to superior court. To do so, Judge Staton had to decide whether or not the federal Copyright Act preempted the SFC's breach-of-contract allegations; in the end, she decided it didn't.

    Continue reading
  • US brings first-of-its-kind criminal charges of Bitcoin-based sanctions-busting
    Citizen allegedly moved $10m-plus in BTC into banned nation

    US prosecutors have accused an American citizen of illegally funneling more than $10 million in Bitcoin into an economically sanctioned country.

    It's said the resulting criminal charges of sanctions busting through the use of cryptocurrency are the first of their kind to be brought in the US.

    Under the United States' International Emergency Economic Powers Act (IEEA), it is illegal for a citizen or institution within the US to transfer funds, directly or indirectly, to a sanctioned country, such as Iran, Cuba, North Korea, or Russia. If there is evidence the IEEA was willfully violated, a criminal case should follow. If an individual or financial exchange was unwittingly involved in evading sanctions, they may be subject to civil action. 

    Continue reading
  • Meta hires network chip guru from Intel: What does this mean for future silicon?
    Why be a customer when you can develop your own custom semiconductors

    Analysis Here's something that should raise eyebrows in the datacenter world: Facebook parent company Meta has hired a veteran networking chip engineer from Intel to lead silicon design efforts in the internet giant's infrastructure hardware engineering group.

    Jon Dama started as director of silicon in May for Meta's infrastructure hardware group, a role that has him "responsible for several design teams innovating the datacenter for scale," according to his LinkedIn profile. In a blurb, Dama indicated that a team is already in place at Meta, and he hopes to "scale the next several doublings of data processing" with them.

    Though we couldn't confirm it, we think it's likely that Dama is reporting to Alexis Bjorlin, Meta's vice president of infrastructure hardware who previously worked with Dama when she was general manager of Intel's Connectivity group before serving a two-year stint at Broadcom.

    Continue reading

Biting the hand that feeds IT © 1998–2022