Jump to content
john.doe

PyPI Python Package Hack

Recommended Posts

There is a brand new hack out there that has very quietly affected many of people.  Malicious developers uploaded slightly misspelled library names in Python’s package installer PyPi. Prominent examples include urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code. It is very similar to what happens when you type in http://cnnn.com/ vs. http://cnn.com/

 

Possible fix: https://github.com/williamforbes/pypi_hacked_names

Source: http://www.bytelion.com/pypi-python-package-hack/

More info: https://news.ycombinator.com/item?id=15256121

  • Upvote 1
Link to comment
Share on other sites

From what i know the Python Package Index is just a simple repo without any "special' security. For instance, the PyPI repository does not perform any types of security checks or audits when developers upload new libraries to its index, so attackers had no difficulty in uploading the modules online.

Definitely things need  to change.

  • Upvote 1
Link to comment
Share on other sites

  • Active Members

In principiu:

 

- tu, ca developer care descarca un package, trebuie sa faci audit (sau sa pui pe altcineva sa faca asta daca folosesti modulul in ceva critical environment / production). 

- toate package-urile PyPi au semnaturi md5 atasate (unele au chiar si PGP). Cu md5 se verifica integritatea, iar cu PGP integritatea + originea. (asa ca e recomandat sa se descarce package-urile care au md5 + PGP).

 

Acum intrebarea fireasca: pot sa fie PyPi signatures trusted ? Pai, pot fi trusted la fel de mult ca oricare alta semnatura :)

 

Am vazut ca se practiva mentinerea unui repo PyPi intern. Avantaje:

 

- verificare mai buna

- fiabilitate mai buna + viteza (daca serverul oficial PyPi pica, te doare la banana)

- eviti problemele cu updateurile / package-urile inlocuite bla bla

  • Upvote 2
Link to comment
Share on other sites

Hi MrGrj,

 

I agree with you.

Unfortunately, not all Python users can be endorsed as developers, some are just using it because its simplicity. For a developer (I mean a PRO) you need to follow some best practices and guidelines (not true for everyone though).

For instance, recently I started to work for a big company which, to my surprise, does not implement any procedures at all regarding this. Either they do not realize the impact of such attacks or just ignore it. I did my job and informed my colleagues about this threat.

In my opinion signing packages is good but not enough (CCleaner is a good example).

Anyway, is up to every PRO/Business to implement a strategy to protect from this threats until further actions from PyPi community.

 

Stay safe

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...