microsoft, hacker says hijacking libraries, stealing aws keys was ethical research

Yesterday, developers took notice of two hugely popular Python and PHP libraries, respectively, ‘ctx’ and ‘PHPass’ that had been hijacked, as first reported in the news by BleepingComputer.

Both of these legitimate open source projects had been altered to steal developer’s AWS credentials.

Considering ‘ctx’ and ‘PHPass’ have together garnered over 3 million downloads over their lifetimes, the incident sparked much panic and discussion among developers—now worried about the impact of the hijack on the overall software supply chain.

The hacker behind this hijack has now broken silence and explained his reasons to BleepingComputer. According to the hacker, rather “security researcher,” this was a bug bounty exercise and no malicious activity was intended.

PoC package stole AWS secret keys to show “maximum impact”

Today, the hacker of the widely used ‘ctx’ and ‘PHPass’ software projects has explained his rationale behind the hijack—that this was a proof-of-concept (PoC) bug bounty exercise with no “malicious activity” or harm intended.

In fact, the hijacker of these libraries is an Istanbul-based security researcher, Yunus Aydın aka SockPuppets, who has attested to the fact when approached by BleepingComputer.

He claims his rationale for stealing AWS tokens was to demonstrate the “maximum impact” of the exploit.

Claims of the widely used Python library ‘ctx’ being compromised first originated on Reddit when user jimtk noticed that the library, which had not been updated in 8 years, suddenly had new versions released.

Moreover, as BleepingComputer explained yesterday, these new versions of ‘ctx’ exfiltrated your environment variables and AWS secret keys to a mysterious Heroku endpoint.

Another ethical hacker Somdev Sangwan later noticed that one of the forks of the PHP framework, ‘PHPass’ had also been altered to steal AWS secret keys in a similar fashion and via the same endpoint:

microsoft, hacker says hijacking libraries, stealing aws keys was ethical research

Altered versions of ‘ctx’ and ‘phpass’ stole AWS secret keys (BleepingComptuer)

BleepingComputer noticed that, within the altered ‘ctx’ versions, the name of the “author” had been revised to state, Yunus AYDIN, as opposed to the library’s original maintainer Robert Ledger. But Ledger’s email address had been left intact.

microsoft, hacker says hijacking libraries, stealing aws keys was ethical research

Author and email info present in the compromised ‘ctx’ versions (BleepingComputer)

Some researchers also noticed the Heroku webpage set up by the hijacker was leaking his contact information but refrained from naming the hijacker until more information came to light.

The attacker likely got access to the maintainers of these packages by spraying credentials over a huge list of high value user accounts.

Attacker’s identity is obv but it would be irresponsible to take names without undeniable proofs.

Compromised packages have been reported.

— Somdev Sangwan (@s0md3v) May 24, 2022

Dubious ethical research

While Aydın claims that this was all ethical research, victims of these activities would see it as anything but that.

Most PoC and bug bounty exercises targeting open source libraries use simplistic code, such as printing “you are hacked!” on the target system or exfiltrating basic fingerprinting information such as the user’s IP address, hostname, and working directory.

This information can later be used by the researcher to prove they successfully penetrated a system and earn a bug bounty reward for their ethical research and responsible disclosure.

But, in the case of ‘ctx’ and ‘PHPass,’ the hijacked versions didn’t stop at basic PoC—these stole the developer’s environment variables and AWS credentials, casting doubts on the intention of the hijacker or if this was even ethical research.

Stealing secrets stored in environment variables such as passwords and API keys could very well cross the line, especially when hijacking popular libraries like ‘ctx’ and ‘PHPass’ that have been downloaded millions of times.

“I sent a report to HackerOne to show maximum impact,” Aydın told BleepingComputer.

“All this research DOES NOT contain any malicious activity. I want to show how this simple attack affects +10M users and companies. ALL THE DATA THAT I RECEIVED IS DELETED AND NOT USED,” writes Aydın.

When asked by us if his disclosure had been accepted and earned a bounty, Aydın said HackerOne closed his report as a duplicate.

Some even took notice of Aydın’s vanishing online presence after reports of the hijacked libraries picked up steam. Aydın’s website, sockpuppets.ninja (archived) stopped working, and his BugCrowd profile became inaccessible.

The researcher has attributed his website going down to running out of bandwidth:

“It is free web hosting and has daily hit limit. So 000webhost closed my website because of intense interest,” claims Aydın, when asked about his unreachable website by BleepingComputer.

Packages taken over by expired domain, repo-jacking

Aydın explained today that he was able to take over ownership of the ‘ctx’ PyPI package after the domain of the original maintainer associated with the package had expired.

The researcher used a bot to crawl different open source registries and scrape the maintainer’s email address listed for each of the packages on the registires.

Every time the bot came across an email address that used a custom domain name that had now expired, Aydın would get notified.

The ‘ctx’ package, not touched in years, had originally been published to the PyPI registry using the maintainer’s email address: figlief@figlief.com.

“Bot notifies me that domain is not valid so if I buy that domain I can send forgot password mail and take over the package,” explains Aydın.

After registering the now-available figlief.com domain name, and re-creating the maintainer’s email address, the researcher successfully initiated a password reset on PyPI for the ‘ctx’ project:

microsoft, hacker says hijacking libraries, stealing aws keys was ethical research

Password reset initiated on PyPI for ‘ctx’ package’s owner (Yunus Aydın)

In this way, he could log back into the PyPI maintainer account for the ‘ctx’ package and publish altered versions.

The hijack of ‘ctx’ via expired maintainer domain name is also not a novel attack. This is a known problem impacting not just open source registries, but virtually any website where users can register an account with a custom domain name email address. Should the domain name (and hence the email address) expire at a later date, any actor can register the domain name and now log back into the abandoned account, after initiating a password reset.

Moreover, a 2021 study from Microsoft and North Carolina State University researchers found thousands of JavaScript projects on npm had the listed maintainer’s email address using an expired domain name, thereby leaving their open source projects vulnerable to hijacks.

For hijacking PHPass, however, as BleepingComputer explained yesterday, the attack conducted was more akin to repo-jacking or “chainjacking” in which an abandoned GitHub repository is claimed by another user who can now republish the versions of this package to the PHP/Composer registry, Packagist.

“I sent the report on May 19th and show that I take over the PHPass repository and one day later my report is closed as a duplicate,” says the researcher.

Through this research that Aydın claims, “does not contain any malicious activity,” he received 1000 environment variables via his Heroku webapp, although the majority of these contained fake data as members of the online community began to flood the Heroku endpoint with requests and generate a huge bill for the hijacker.

“But I use free version of Heroku so I don’t use my billing information on Heroku,” concludes the hijacker.

Keyword: Hacker says hijacking libraries, stealing AWS keys was ethical research

TECH'S NEWS RELATED

10 dark themes for Windows 10 for dark lovers

Summary of the latest Windows 10 dark theme Windows 10 Official Dark Theme Ades Dark Theme Hover Dark Aero Nost Metro After Dark Cyan Ubuntu Dark Theme Penumbra 10 Dark Theme Dark Gray Theme As dark themes become more and more popular, not only Facebook, Messenger or other messaging ...

View more: 10 dark themes for Windows 10 for dark lovers

Gungrave Gore preorder guide – Release date, bonuses, and more

What are Gungrave Gore’s release date and platforms? Does Gungrave Gore have any preorder bonuses? Will Gungrave Gore be on Game Pass? Image via Iggymob Co. Ltd. The Gungrave series has been dormant since 2004, when Gungrave: Overdose released on PlayStation 2. Nearly 20 years later, protagonist Grave is ...

View more: Gungrave Gore preorder guide – Release date, bonuses, and more

Hilary Swank, 48, reveals she’s pregnant with twins

Hilary Swank is expecting twins with her husband, Philip Schneider, a representative for the Oscar winner confirmed to NBC News. Swank, 48, and Schneider have been married for four years. They were married in a secret ceremony in Carmel, California. She told Vogue at the time it was a “dream ...

View more: Hilary Swank, 48, reveals she’s pregnant with twins

Mercedes-AMG A 45 S Gets a Facelift But No Extra Power

With 421 hp on deck, it's not like it needed anymore.

View more: Mercedes-AMG A 45 S Gets a Facelift But No Extra Power

Three Arrows’ CryptoPunks and Other 'Starry Night' Ethereum NFTs Set to Be Liquidated

The Starry Night Capital NFT fund is now in the hands of liquidators, which plan to sell off the assets to cover Three Arrows’ obligations.

View more: Three Arrows’ CryptoPunks and Other 'Starry Night' Ethereum NFTs Set to Be Liquidated

Linux Client Device Management Coming to Microsoft Intune

Microsoft Intune, the mobile management solution that’s offered as part of the Microsoft Endpoint Manager suite, is getting the ability to manage Linux desktops with an update that’ll be arriving this month, per a Tuesday Microsoft announcement. Ubuntu LTS versions 22.04 and 20.04 will be the first Linux desktop ...

View more: Linux Client Device Management Coming to Microsoft Intune

Former SEC Attorney: 'It's Much Easier If You Launch Your Network In a Compliant Way’

The problem, according to Teresa Guillén, is launching without first receiving legal guidance or advice.

View more: Former SEC Attorney: 'It's Much Easier If You Launch Your Network In a Compliant Way’

High-schoolers join scholars to lift the lid on Hong Kong's soil biodiversity

The 150 soil macrofauna morphospecies collected in this study. The labeled numbers indicate the number of morphospecies in each animal group collected in this study. Credit: Biodiversity Data Journal (2022). DOI: 10.3897/BDJ.10.e82518 Soil and its macrofauna are an integral part of many ecosystems, playing an important role in decomposition ...

View more: High-schoolers join scholars to lift the lid on Hong Kong's soil biodiversity

Elon Musk, Twitter may reach deal to end court battle as early as Wednesday: report

8 new releases hit Netflix today – here’s what you should watch

Uber's Former Head of Security Convicted Over Concealing 2016 Data Breach

Catch-and-release fishing may cause temperature spikes in sharks

Rybalsky Consulting Delivers Actionable Solutions to Data Overload

Michael Kureth Revolutionizing the Film World with Cinedapt, The Patented Solution To Piracy

North Korea’s Lazarus group uses vulnerable Dell driver to blind security solutions

Cisco tightens SD-WAN integration with Microsoft Azure

Hacker in Massive Capitol One Data Breach Gets Probation

iPhone 14 Plus vs. iPhone 14 Pro Max comparison: Which is right for you?

Alec Baldwin reaches settlement with family over 'Rust' death

Watching Meta under Zuckerberg feels like reliving my days in the flailing newspaper business

OTHER TECH NEWS

;