The story of how I can rend the ether via meltdown on your phones with npm

January 12, 2018

Preface from the translator

Until you get to the content of the article, I advise you to postpone it, look away from the monitor , and think about how this happens. As always, all ingenious is simple. The answer is to the surface. Have you thought about it? Then read on.

Well, here's the correct answer. No way. It's a lie. Just like the lie is the title and content of the article recently translated from us "The Story of how I steal credit card numbers and passwords from visitors to your sites."

It seemed obvious to me that this is some small a fantasy with a light touch of security awareness, but it seems that very many took it seriously, and I hate to see again how the npm community makes pears for pounding, without delving into the context – just as it was, for example, after the excellent article " Node.js is a cancerous tumor, "or a torn piece from Ryan's interview about , that he now likes Go.

I do not know, intentionally or accidentally, but the author wrote a fantasy on a high-topic topic, which many took at face value. I know that arguing with the translation is pretty silly, but this translation is knocking at me through all channels. So I will answer him with another translation. Let's go.

Does the security of npm frighten you? Do not panic!

Are you also in a panic about the security of npm due to recent posts? Especially because of this: "The story of how I steal credit card numbers and passwords from visitors to your sites." Well, I want to tell you. In the best case, this is a trolling post. Let's tell why. Why is it stupid, incorrect, puts npmjs in a bad light and raises panic from scratch.

At the beginning of the text, the author describes his terrible javascript code, which can be embedded on the site to steal data. The author understands that in order to get other people's information, you need to spread your code to other sites. He chooses npm for this. Nothing new and surprising. Anyone can run the Trojan anywhere – in npmjs, python registry, etc.

However, the fact that your package is published somewhere does not mean anything – just like, for example, if would you make a website that people do not go to. So the next question arises – how to implement the Trojan with the help of the site owners? The author understands that this is the main problem and solves it by creating a pool of requisites on github, where he adds his package to the project.

That's all.
That's the whole hack.
The whole content of the text boils down to this idea. No magic.
No remote code execution on npmjs servers.
No remote exploits.
Neither meltdown nor zero day of vulnerabilities.
No call in support of npmjs and whispering 2600hz in the ear support.

Let me repeat it again

The author was able to distribute his Trojan, convincing developers to use it as a dependency. Ofigitelno. Let me sit down, relax and we will consider this innovative attack vector.

No doubt, to turn this trick, the author should be gifted with simply terrific social engineering skills, so I can only step back and recommend him a couple of plans:

  • Consider a career in sales or investments, as the author has perfected his ability to make brief presentations.
  • Communicate with Kevin Mitnick and commit the robbery of the century.

What side is here npm? Honestly, I have no idea.
I absolutely do not understand why someone is panicking in our Javascript community. Why was npm the scapegoat? The problem is not in it. Rather, there certainly are problems of their own, but they have nothing to do with this story.

Translator's note: here I omitted some not very good analogies and an explanation on my fingers, why half the story about stealing passwords is nonsense mares.

We generally understand that we work in open source?

Now I'm talking about all of us – do you understand that you are working in the opensource community? And what does it mean? Open source is based on trust. On the community, on communications, these are the core values ​​that make the community incredible, and for which I love it.

Can there be a vulnerability in the open source project? Yes.
Can there be performance problems in the open source project, because of which someone will lose millions for the new year? Yes.

Erik Raymond beautifully described the situation when the vulnerability of open source was discussed: "the more eyes, the less bugs" – or, more formally, "with enough beta testers and employees, almost any problem will be quickly detected and will prove to be obvious to somebody. "

When you take open source, you take the risks that it brings in. Be it bad, malicious or abandoned code, so take this responsibility. you put with npm – npm it's just a service link for delivering code.

The Epilogue

I understand that this post was parodic, but the reaction and comments showed that people took it too seriously – right up to the panic. And I must honestly say that I was very upset at how much influence this article had on the name of npm and security issues in general.

I myself am actively engaged in computer security, I participate in the Node.JS OWASP project, I'm talking about security in Node.JS at international conferences, and so on. Why am I talking about this now? To show that I'm only for raising awareness about the dangers of web applications. But I'm sad to watch npm and community make a punching pear for no reason.

I do not know David Gilbertson personally, the author of the original article, but I respect him with all respect, and I'm sure that He had no bad intentions, and his story is pure fiction. However, I believe that we can a little more believe in the intelligence of readers and tell them about the dangers without such horror stories. Instead of panicking, it is better to discuss constructively how we can improve something.

Afterword from the translator

In addition to the npm analogues mentioned by the author in other languages, there is still maven, nyuet, composer, there are thousands of frameworks with their plug-ins and themes, and so on (if interested, I can tell you how the malicious code appeared in my wordpress plugin wp-invites, for example). In the end, there is a githab, from which you can directly put packets in a bunch of languages ​​- but no one accuses the github of being able to publish a malicious code!

And somehow the kicks get npm. And just stupid and meaningless kicks without any morals, conclusions and suggestions. And because of a fictitious story. I, like the author of the original article, do not want to say that everything is fine, and that there is no cause for concern. Everything is broken. Even our fucking processors.

But do not make useless panic. You can fix anything right now. Or write a tool for finding backdoors in npm packages (another one). Or at least to deny the bug. Or throw off a donation to the developer. Or to introduce Loki and review packages in your company. And you can whine about the terrible npm. The choice is yours.

Leave a Comment

Your email address will not be published.