Node Package Manager Accidentally Leaks Developers’ Password Hashes

Node Package Manager Accidentally Leaks Developers’ Password Hashes

Node.js logo Node Package Manager (NPM), the primary source for Node.js modules, had been exposing registry users’ password hashes for quite some time NPM creator and Node.js gatekeeper Isaac Schlueter disclosed today. Schlueter wrote that although the passwords themselves were not leaked, he still strongly recommends that users change their passwords in NPM and anywhere else they used the same password. This shouldn’t affect most Node.js developers, only those maintaining packages in NPM, but Jeremy Ashkenas posted Schlueter’s e-mail on Github for anyone who wants the full details.

Part of why I wanted to highlight this incident is because of how the problem happened. According to Schlueter: “To do login, npm uses the /_users database in couchdb. By default, CouchDB prior to version 1.2.0 makes this database world-readable.”

To fix it, NPM is now using Apache CouchDB 1.2.0. But as pointed out by on Hacker News, the latest stable build of CouchDB is 1.1.1.

For those not ready to upgrade to 1.2.0 CouchDB developer Jan Lehnardt suggests restricting access to /_users with a proxy.

This SNAFU reminds me of this weekend’s Ruby on Rails/Github security incident, where a default setting lead sharp otherwise developers to make critical security errors. There’s a lesson in both these incidence for developers of both platforms and the developers who use the platforms.

The good news of course is that the CouchDB is changing this default behavior. The bad news is that it took this long for the problem with NPM to be noticed and fixed.

RELATED:  Facebook could be fined $268K a day for privacy violations in Belgium

Klint Finley

Klint Finley is a Senior Writer at SiliconAngle. His specialties
include IT services, enterprise technology and software development.
Prior to SiliconAngle he was a writer for ReadWriteWeb. He's also a
former IT practicioner, and has written about technology for over a
decade. He can be contacted at


Join our mailing list to receive the latest news and updates from our team.

Submit a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Share This

Share This

Share this post with your friends!