Typo-Squatting, or poison packages
-
Python quiz: What’s the difference between these two packages?
- urllib3
- urlib3
Answer: urllib3, with two l’s is the one you meant to use. urlib3 with one l is a poison package that replicates the functionality you were looking for, but with a malicious install script.
Back in August, a similar poison package was found in the Node ecosystem, one that exfiltrated environment variables, in a bid to discover service passwords and tokens. Ouch.
-
I always worry about this a bit with package managers. There's no quick way to tell if a package is legit or malicious, especially with the number of forks you see of projects that have stopped being supported.
-
@jaloopa Package signing would be a good first step, but that would require everyone to actually sign their packages, as well as there being some sort of trusted authority with which package signatures can be verified. Also, a bit like SSL/TLS, it wouldn't be a cast-iron guarantee of security, only identity, assuming the trusted authority hasn't been compromised.
-
@raceprouk I would hope that CCleaner incident is rare. AFAIK it's the only high profile case of certificate hijacking related to package verification I'm aware of in recent memory. As I write this, though, I kind of remember at least one or two similar cases in the last 10 years but I forget the specifics. I might be thinking of an md5 hack.
-
@raceprouk said in Typo-Squatting, or poison packages:
Package signing would be a good first step, but that would require everyone to actually sign their packages
There is movement by some of the major public repositories to move to just such a requirement [as well as restricting package name prefixes to registered owners]
-
I think the only way to "solve" this problem is with good old heuristics. Calculate a trust score for each package, and warn the developer if the trust score drops below X.
- Package signed by the Python Foundation: +1000
- Package signed by an unknown person, but with a legal identity verified by a trusted organization: +50
- Package uploaded many years ago and has millions of downloads: +50
- Package uploaded yesterday: -10
- Package passes automated malware detection tests: +10
- Package name almost matches one with trust score over 100: -500
-
@the_quiet_one said in Typo-Squatting, or poison packages:
AFAIK it's the only high profile case of certificate hijacking related to package verification I'm aware of in recent memory.
Maybe it's the only recent high-profile case in your recollection, but it's definitely not rare. There's malware written specifically to steal certificate/key pairs and it's used constantly by different threat actors. Stuxnet is the highest-profile case I can think of, but Suckfly notably used certificates stolen from nine different companies.
-
@raceprouk said in Typo-Squatting, or poison packages:
@jaloopa Package signing would be a good first step, but that would require everyone to actually sign their packages, as well as there being some sort of trusted authority with which package signatures can be verified. Also, a bit like SSL/TLS, it wouldn't be a cast-iron guarantee of security, only identity, assuming the trusted authority hasn't been compromised.
That would do fuck-all to prevent things like this. If you typo and request a different package than what you intended, you would still get the poison package.
-
@zecc Maybe don't use a UI where you can get fucked over by a typo? A GUI could show things like: code signer, number of downloads, reviews perhaps... a lot of nice info that would make it obvious which is correct after a search.
Another example of: "We chose a really shitty ui!" "Now we have a lot of problems that wouldn't exist had we chosen a non-shitty ui!"
-
@blakeyrat This. Even command-line package manager like yum and apt-get make you confirm the packages you're going to install before proceeding, and that prompt includes information like which (typically moderated) repository things are being pulled from, and which dependencies are pulled in. Adding signing info and separate 'is this really the package you want' prompts seems trivial.
Well, unless you're using the
--don't-bother-me-with-confirmation-just-install-it
option. In which case why the hell are you using that option?
-
@pleegwat I'm using that option just to prove that my script interpreter doesn't care about single quotes.
-
The answer is simple, everyone!
You need a universal package manager in your organization. I know where you can get a great one for a great price.
-
@pleegwat said in Typo-Squatting, or poison packages:
Well, unless you're using the
--don't-bother-me-with-confirmation-just-install-it
option.(I went looking for the actual quote in the EFL thread but of course search being crap it totally failed me, and when Google pointed me to the right post, well, links to posts in Google being crap, I never found the right post. From what Google shows, it apparently was
-i-really-know-what-i-am-doing-and-accept-full-responsibility-for-it
.)
-
@apapadimoulis said in Typo-Squatting, or poison packages:
You need a universal package manager in your organization.
I have yet to meet the organization that needs more managers.
-
@apapadimoulis said in Typo-Squatting, or poison packages:
The answer is simple, everyone!
You need a universal package manager in your organization. I know where you can get a great one for a great price.
6/10 too obvious
-
@blakeyrat said in Typo-Squatting, or poison packages:
A GUI could show things like: code signer, number of downloads, reviews perhaps... a lot of nice info that would make it obvious which is correct after a search.
CLICKY CLICKY CLICKY
No one would ever inspect all that stuff.
-
@boomzilla I would.
It's easily recognisable as not a license or EULA.
-
A more "subtle" poison is occurring in the EULA. Make something full GPL, have people incorporate it into their product, detect commercial usage, sue to force release of IP.
-
@thecpuwizard said in Typo-Squatting, or poison packages:
A more "subtle" poison is occurring in the EULA. Make something full GPL, have people incorporate it into their product, detect commercial usage, sue to force release of IP.
And how do you make them incorporate it into their product without reading the license ?
Beat them ???
-
@timebandit said in Typo-Squatting, or poison packages:
And how do you make them incorporate it into their product without reading the license ?
How many developers go to nugget.org, browse for a package, download - without legal review of the EULA? 99.9%
-
@thecpuwizard said in Typo-Squatting, or poison packages:
@timebandit said in Typo-Squatting, or poison packages:
And how do you make them incorporate it into their product without reading the license ?
How many developers go to nugget.org, browse for a package, download - without legal review of the EULA? 99.9%
CLICKY CLICKY CLICKY
-
@thecpuwizard said in Typo-Squatting, or poison packages:
How many developers go to nugget.org, browse for a package, download - without legal review of the EULA? 99.9%
I don't think any of them go to nugget.org. nuget.org, on the other hand...
-
@thecpuwizard said in Typo-Squatting, or poison packages:
A more "subtle" poison is occurring in the EULA. Make something full GPL, have people incorporate it into their product, detect commercial usage, sue to force release of IP.
This is why I spent a bunch of time at BigCorp reimplementing things like FTP. It was faster and easier than sending it through legal, getting a "no" sent down after a couple months, and doing it myself anyway.
-
@parody said in Typo-Squatting, or poison packages:
@thecpuwizard said in Typo-Squatting, or poison packages:
A more "subtle" poison is occurring in the EULA. Make something full GPL, have people incorporate it into their product, detect commercial usage, sue to force release of IP.
This is why I spent a bunch of time at BigCorp reimplementing things like FTP. It was faster and easier than sending it through legal, getting a "no" sent down after a couple months, and doing it myself anyway.
That may be... but seriously, try to develop any web application without using a "package" for something.....
-
@thecpuwizard said in Typo-Squatting, or poison packages:
That may be... but seriously, try to develop any web application without using a "package" for something.....
Web Applications and the types of projects I did at BigCorp were pretty incompatible. :)
-
@parody said in Typo-Squatting, or poison packages:
Web Applications and the types of projects I did at BigCorp were pretty incompatible.
Fair enough, but then also seemingly irrelevant since this entire thread is all about packages :) :) :)
-
@thecpuwizard said in Typo-Squatting, or poison packages:
Fair enough, but then also seemingly irrelevant since this entire thread is all about packages :) :) :)
You'd drifted to GPL licensing; it and similar poison licenses exist with and without specific packages. :P
-
@parody said in Typo-Squatting, or poison packages:
You'd drifted to GPL licensing; it and similar poison licenses exist with and without specific packages.
Without a doubt, but packages are so darn easy for the developer to incorporate that [IMPO] it raises things to a whole new level. IT does not have to be GPL (or similar). In one case the term "per hoc quod dicitur includere" [or very similar] was in a EULA, there was also a link, which contained links. A company was sued for a violation of an item behind multiple links...
Most developers I have talked to never even realized it, nor did team leads, managers, or executives....
-
@thecpuwizard said in Typo-Squatting, or poison packages:
A company was sued for a violation of an item behind multiple links...
Have you ever tried to read the EULA of any software presented to you on the screen ?
They show it in a window about 25% of the size of the screen, then put the text inside a box about 60% the size of that window.Talk about a way to make sure nobody will ever read it.
It's a lot easier to just follow a couple links.
-
@timebandit said in Typo-Squatting, or poison packages:
@thecpuwizard said in Typo-Squatting, or poison packages:
A company was sued for a violation of an item behind multiple links...
Have you ever tried to read the EULA of any software presented to you on the screen ?
They show it in a window about 25% of the size of the screen, then put the text inside a box about 60% the size of that window.Talk about a way to make sure nobody will ever read it.
It's a lot easier to just follow a couple links.
You don't read the whole thing? I read the whole thing.
-
@timebandit said in Typo-Squatting, or poison packages:
And how do you make them incorporate it into their product without reading the license ?
Use a tool for license discovery and enforcement. If a dependency doesn't clearly state it has an acceptable license (whatever that means in your environment), no release for you! Job done. Diligence dued.
-
@dkf said in Typo-Squatting, or poison packages:
Use a tool for license discovery and enforcement. If a dependency doesn't clearly state it has an acceptable license (whatever that means in your environment), no release for you! Job done. Diligence dued.
Indeed. And one way (there are many) is to configure your build server(S) [the only machines that should be producing deployed code] to only use private and vetted repositories.
This repository is vetted after the tooling (and human as required) has done the discovery.
Slightly related, if you are interested in this (and other aspect's of package utilization such as security) Check out WhiteSource - amazing tool
-
@dkf said in Typo-Squatting, or poison packages:
Diligence dued.