john.doe Posted September 20, 2017 Report Posted September 20, 2017 There is a brand new hack out there that has very quietly affected many of people. Malicious developers uploaded slightly misspelled library names in Python’s package installer PyPi. Prominent examples include urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code. It is very similar to what happens when you type in http://cnnn.com/ vs. http://cnn.com/ Possible fix: https://github.com/williamforbes/pypi_hacked_names Source: http://www.bytelion.com/pypi-python-package-hack/ More info: https://news.ycombinator.com/item?id=15256121 1 Quote
Nytro Posted September 20, 2017 Report Posted September 20, 2017 Dar cele uploadate nu sunt si ele verificate de catre cineva? Quote
john.doe Posted September 20, 2017 Author Report Posted September 20, 2017 From what i know the Python Package Index is just a simple repo without any "special' security. For instance, the PyPI repository does not perform any types of security checks or audits when developers upload new libraries to its index, so attackers had no difficulty in uploading the modules online. Definitely things need to change. 1 Quote
Active Members MrGrj Posted September 20, 2017 Active Members Report Posted September 20, 2017 In principiu: - tu, ca developer care descarca un package, trebuie sa faci audit (sau sa pui pe altcineva sa faca asta daca folosesti modulul in ceva critical environment / production). - toate package-urile PyPi au semnaturi md5 atasate (unele au chiar si PGP). Cu md5 se verifica integritatea, iar cu PGP integritatea + originea. (asa ca e recomandat sa se descarce package-urile care au md5 + PGP). Acum intrebarea fireasca: pot sa fie PyPi signatures trusted ? Pai, pot fi trusted la fel de mult ca oricare alta semnatura Am vazut ca se practiva mentinerea unui repo PyPi intern. Avantaje: - verificare mai buna - fiabilitate mai buna + viteza (daca serverul oficial PyPi pica, te doare la banana) - eviti problemele cu updateurile / package-urile inlocuite bla bla 2 Quote
john.doe Posted September 21, 2017 Author Report Posted September 21, 2017 Hi MrGrj, I agree with you. Unfortunately, not all Python users can be endorsed as developers, some are just using it because its simplicity. For a developer (I mean a PRO) you need to follow some best practices and guidelines (not true for everyone though). For instance, recently I started to work for a big company which, to my surprise, does not implement any procedures at all regarding this. Either they do not realize the impact of such attacks or just ignore it. I did my job and informed my colleagues about this threat. In my opinion signing packages is good but not enough (CCleaner is a good example). Anyway, is up to every PRO/Business to implement a strategy to protect from this threats until further actions from PyPi community. Stay safe Quote
