NEWS
NEWS
NEWS
Node Package Manager Accidentally Leaks Developers’ Password Hashes
Node Package Manager (NPM), the primary source for Node.js modules, had been exposing registry users’ password hashes for quite some time NPM creator and Node.js gatekeeper Isaac Schlueter disclosed today. Schlueter wrote that although the passwords themselves were not leaked, he still strongly recommends that users change their passwords in NPM and anywhere else they used the same password. This shouldn’t affect most Node.js developers, only those maintaining packages in NPM, but Jeremy Ashkenas posted Schlueter’s e-mail on Github for anyone who wants the full details.
Part of why I wanted to highlight this incident is because of how the problem happened. According to Schlueter: “To do login, npm uses the /_users database in couchdb. By default, CouchDB prior to version 1.2.0 makes this database world-readable.”
To fix it, NPM is now using Apache CouchDB 1.2.0. But as pointed out by on Hacker News, the latest stable build of CouchDB is 1.1.1.
For those not ready to upgrade to 1.2.0 CouchDB developer Jan Lehnardt suggests restricting access to /_users with a proxy.
This SNAFU reminds me of this weekend’s Ruby on Rails/Github security incident, where a default setting lead sharp otherwise developers to make critical security errors. There’s a lesson in both these incidence for developers of both platforms and the developers who use the platforms.
The good news of course is that the CouchDB is changing this default behavior. The bad news is that it took this long for the problem with NPM to be noticed and fixed.
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
