iTnews
  • Home
  • News
  • Technology
  • Security

Student hacker behind ctx and phpass repo-jacking steps forward

By Juha Saarinen on May 26, 2022 6:32AM
Student hacker behind ctx and phpass repo-jacking steps forward

Captured data deleted and not used, attacker claims.

In a surprise move, a person has claimed responsibility for the recent supply-chain hacks on the popular open source Python ctx and Hypertext Preprocessor phpass libraries, claiming it was research and not malicious activity.

Student and intern Yunus Aydin from Istanbul said he created a scraper bot to check if Github profiles exist, and to capture the account owners' email addresses.

After parsing the responses from the bot with a query tool, Aydin said he could take over the package if the Github profile of the maintainer does not exist, or if their domain name is no longer valid.

For the ctx hack, Aydin used a bot to check if the domain name registration of package maintainers is valid.

When he found a domain with lapsed registration, he would manualy check its availability on Google Domains.

If available, Aydin could register the domain for five US dollars, and receive password reset emails from the Python Package Index repository.

Attacking phpass involved bypassing Github's authentication for retired repositories, which Aydin succeeded to do.

Aydin used similar techniques to attack the Rust programming language package registry, and the npm equivalent too, saying it was possible to take ownership of packages on those repositories as well.

The payload in the malicious packages captured users' environment variables, including sensitive data such as Amazon Web Services credentials.

Over ten million users and companies were at risk from the attacks, and Aydin received some 1000 environment variables to his Heroku instance.

The data he received has been deleted and not used, Aydin claims.

Aydin said he reported the Github authentication bypass to HackerOne on May 20 AEST.

However, HackerOne closed the report as a duplicate and the vulnerability has not been fixed, Aydin said.

After the attack, both the ctx and phpass packages were removed along with is Github user account and Heroku server instance.

Aydin's personal website was also deleted.

Other users objected to Aydin's research, saying it was done without consent and would force engineers in thousands of companies around the world to change credentials, as they could not trust that the captured ones would not be abused.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
cargocomposerctxphpasspypipythonrustsecurityyunus aydin

Partner Content

Why rethinking your CMS is crucial for customer retention
Promoted Content Why rethinking your CMS is crucial for customer retention
How to turn digital complexity into competitive advantage
Promoted Content How to turn digital complexity into competitive advantage
Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
Promoted Content Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
Security: Understanding the fundamentals of governance, risk & compliance
Promoted Content Security: Understanding the fundamentals of governance, risk & compliance

Sponsored Whitepapers

Free eBook: Digital Transformation 101 – for banks
Free eBook: Digital Transformation 101 – for banks
Why financial services need to tackle their Middle Office
Why financial services need to tackle their Middle Office
Learn: The latest way to transfer files between customers
Learn: The latest way to transfer files between customers
Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see

Events

  • Forrester Technology & Innovation Asia Pacific 2022
By Juha Saarinen
May 26 2022
6:32AM
0 Comments

Related Articles

  • Popular Python and PHP software repo-jacked
  • Most programming languages vulnerable to Trojan Source attack
  • ACCC greenlights Google's buy of Mandiant
  • Patch Wednesday fixes two-year-old Dogwalk vulnerability
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

NSW Police dumps Bezos-backed Mark43 from core systems overhaul

NSW Police dumps Bezos-backed Mark43 from core systems overhaul
Australian court finds insurer not liable for ransomware clean-up costs

Australian court finds insurer not liable for ransomware clean-up costs
NBN Co proposes to axe CVC across all plans by mid-2026

NBN Co proposes to axe CVC across all plans by mid-2026
ADHA extends Accenture's My Health Record support deal for $100m

ADHA extends Accenture's My Health Record support deal for $100m

Digital Nation

Metaverses on the agenda for Dominello, Husic ministerial meeting
Metaverses on the agenda for Dominello, Husic ministerial meeting
Australia will lose 11 percent of jobs to automation by 2040: Forrester
Australia will lose 11 percent of jobs to automation by 2040: Forrester
Criteo to fork out $94.7m for consent breaches
Criteo to fork out $94.7m for consent breaches
Domino’s invests in observability for zero contact delivery
Domino’s invests in observability for zero contact delivery
COVER STORY: How KPMG, Mirvac and ASX use blockchain to build trust in the property sector
COVER STORY: How KPMG, Mirvac and ASX use blockchain to build trust in the property sector
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.