Compromising the integrity of the npm registry.

Recently it was disclosed that the NPM registry leaked the usernames, salts and sha1 hashes of registry users. Essentially this amounts to a breach of about 4k user accounts.

The issue has since been taken care of and users are being asked (not forced) to change their passwords. The leaked data has been available for a very long time, probably since the registry has been using couch. Everyone should be resetting their passwords. Now.

I first found out and notified Isaac about this on 3/1/2012. I only found out about this because I was looking for potential ways that &! could be compromised.

One of the ways we build our development and production environments is by using npm to install packages. I was curious just how hard it would be to compromise the integrity of packages published to the registry, turns out not very. It’s great to point out however that npm is meant to be a distribution channel. It’s a free and open service in which anybody can distribute packages. It’s not meant to provide any level of integrity and quality checking. As developers we are responsible for the code that executes in our environments. Maybe checking verified packages into your projects repository isn’t such a bad idea after all.

It took only 24 hours using an old spare machine to crack 25% of the passwords. Very little effort or CPU power.

Passwords cracked included prominent, well respected members of the node.js community that control publishing rights to widely used packages.

To be clear, this was not done for the sake of gaining access to those passwords and the data has been destroyed and I never tried to log in with any account. It was just a test of how hard it would be to abuse it and thus, what level of actual threat it represented.

There are some great comments on if this was a couch problem or a npm problem in this thread.

During that time I also discovered a number of persistent and reflected cross-site scripting vulnerabilities that were patched in this pull request.

Finally I would like to thank Isaac for taking the time to communicate with me over email about this, keep me updated as things progressed, and most importantly shipping a fix and being transparent with the node community.

I'm very interested in comments on this and appreciate feedback either via email (baldwin@andyet.net) or twitter @adam_baldwin

tl;dr

  • Only 24 hours to crack 25% of the user passwords.
  • It’s not required for you to reset your password, do so anyway.
  • You are responsible for the code you run in production, not NPM.
  • Serious thank you to @izs and @_jhs for shipping a fix & being transparent

You might also enjoy reading:

Blog Archives: