WingNews logo WingNews
top | item 20747512

(no title)

mwmanning | 6 years ago

Yeah I'm assuming the methodology is:

1) Find high-value target libraries

2) Grab the usernames of accounts with push access

3) Check those against password dumps

I feel really stupid about this, but like I said it was an oversight. I apologize and will try to do better.

discuss

order

0x0|6 years ago

Sounds like rubygems and other registries like npm should try to get ahold of those password dumps and check them against their own account databases somewhat frequently!

dspillett|6 years ago

If you find a reused password, how do you let the user know though? If I got a "your account is vulnerable" message I'd ignore it as junk like all the other ones I get pretty much daily. You could force a change next time the user logs to your interactive interface, but many users won't do that for some time.

The best approach is probably to disable the account completely until an interactive login is made and a password reset can be forced but some would be up in arms about the inconvenience caused: you can't just allow a simple reset as the login could be coming from an attacker not the original user, an extra channel will need to be used to verify the identity. You might just have to leave the account locked forever and expect the user to create a new one - but now you have the old account and its content which may be used as a dependency of many projects which now break, unnecessarily if there hasn't been a login by a nefarious type.

kevin_thibedeau|6 years ago

That's not very practical if salted hashes are being stored.

febeling|6 years ago

Make 2FA mandatory. Apple did just that recently with their app stores. Someone authoring libraries should be able to handle that.

OskarS|6 years ago

It happens. You've taken reasonable precautions to safeguard your online identity, which is all one can really ask. Sometimes things slip through the cracks. The hacker is to blame, not you.

The larger question is about if gem/npm/cargo-style package managers are such a terrific idea in the long run. The security implications are pretty serious.