Node Package Manager Accidentally Leaks Developers’ Password Hashes

Node.js logo

Node.js logo Node Package Manager (NPM), the primary source for Node.js modules, had been exposing registry users’ password hashes for quite some time NPM creator and Node.js gatekeeper Isaac Schlueter disclosed today. Schlueter wrote that although the passwords themselves were not leaked, he still strongly recommends that users change their passwords in NPM and anywhere else they used the same password. This shouldn’t affect most Node.js developers, only those maintaining packages in NPM, but Jeremy Ashkenas posted Schlueter’s e-mail on Github for anyone who wants the full details.

Part of why I wanted to highlight this incident is because of how the problem happened. According to Schlueter: “To do login, npm uses the /_users database in couchdb. By default, CouchDB prior to version 1.2.0 makes this database world-readable.”

To fix it, NPM is now using Apache CouchDB 1.2.0. But as pointed out by on Hacker News, the latest stable build of CouchDB is 1.1.1.

For those not ready to upgrade to 1.2.0 CouchDB developer Jan Lehnardt suggests restricting access to /_users with a proxy.

This SNAFU reminds me of this weekend’s Ruby on Rails/Github security incident, where a default setting lead sharp otherwise developers to make critical security errors. There’s a lesson in both these incidence for developers of both platforms and the developers who use the platforms.

The good news of course is that the CouchDB is changing this default behavior. The bad news is that it took this long for the problem with NPM to be noticed and fixed.