UPDATED 13:29 EDT / MARCH 08 2012

Node.js logo NEWS

Node Package Manager Accidentally Leaks Developers’ Password Hashes

Node.js logo Node Package Manager (NPM), the primary source for Node.js modules, had been exposing registry users’ password hashes for quite some time NPM creator and Node.js gatekeeper Isaac Schlueter disclosed today. Schlueter wrote that although the passwords themselves were not leaked, he still strongly recommends that users change their passwords in NPM and anywhere else they used the same password. This shouldn’t affect most Node.js developers, only those maintaining packages in NPM, but Jeremy Ashkenas posted Schlueter’s e-mail on Github for anyone who wants the full details.

Part of why I wanted to highlight this incident is because of how the problem happened. According to Schlueter: “To do login, npm uses the /_users database in couchdb. By default, CouchDB prior to version 1.2.0 makes this database world-readable.”

To fix it, NPM is now using Apache CouchDB 1.2.0. But as pointed out by on Hacker News, the latest stable build of CouchDB is 1.1.1.

For those not ready to upgrade to 1.2.0 CouchDB developer Jan Lehnardt suggests restricting access to /_users with a proxy.

This SNAFU reminds me of this weekend’s Ruby on Rails/Github security incident, where a default setting lead sharp otherwise developers to make critical security errors. There’s a lesson in both these incidence for developers of both platforms and the developers who use the platforms.

The good news of course is that the CouchDB is changing this default behavior. The bad news is that it took this long for the problem with NPM to be noticed and fixed.


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU