Security Weekly 13: The Npm Repository was Penetrated by a Spy, Disney is Banned from Monitoring Children, Juniper has Patched a One-Year-Old Bug
JS developers sometimes do terrible things to each other. There would be no peace kiting and be enjoying every commit! But in the ranks of peaceful programmers, a villain was jumped, who threw a pack of malicious packages into the Npm repository. Npm is the standard package manager in Node.js, and it has a cloud repository full of all usable packages.
The scoundrel who hides his dishonest name under the nickname HuskTask has reasoned so that people tend to make mistakes, and there is nothing more natural than, for example, missing a hyphen in the cross-env. And I uploaded my package with the name crossnv into the repository. And a few more, named by the same principle. As a result, some number of users have downloaded packages from HuskTask into their projects, having no idea what the code is inside.
- One of the users still looked in the crossnv and ran to Twitter to sound the alarm. As it turned out, this package contains a script that extracts important information from environment variables (for example, credentials from Npm), encode it into a string, and sends it by POST request to the server npm.hacktask.net.
The whole villainous package has been downloaded 700 times, but most of these downloads are sprawling on mirrors. The company Npm believes that the actual installations were not more than 50. But this is only for one, the most popular package, all the quick HuskTask flooded much more:
To all victims of typos that connected packages from the list, it is strongly recommended to change passwords from Npm.
HuskTusk is banned, all its packages from the repository are cleaned. For all the other packages, Adam Baldwin from LiftSecurity ran quickly and did not find anything like a villainous script. What for it was necessary for the malefactor – it is necessary to guess only. Acts of meaningless vandalism in node.js-projects are not yet reported.
Disney was accused of illegally collecting personal information about children
We have long been accustomed to the fact that our data all the services and applications boldly sell to the side. And we, in principle, agree, since this indirectly leads to a decrease in value for us. In the end, it does not matter what the banner advertising is doing to us.
But children are a completely different matter, we should not follow our children. And the wonderful company Disney, a great friend of all the children of the world, had a chance to learn this lesson after a lawsuit from one of the outraged parents.
- The root of evil, according to Amanda Rushing, lies in mobile applications such as Disney Princess Palace Pets (the entire claim is about 50 names). In this nice toy, it is necessary to bathe, cut, dress and in every possible way entertain the virtual house animals. Well, the rest is about the same.
No, in Disney, they do not yet peek at children through smartphone cameras and do not eavesdrop. But in all these applications there are tracking modules that constantly form and update user profiles, collecting information like geographic coordinates to the accuracy of a particular house, sites that a child goes to, the time the game starts, etc.
- Everything is relatively innocent, but the US COPPA law, especially against this.
- The Children’s Online Privacy Protection Act (COPPA) postulates a simple thing – before collecting any information about a child under the age of 13, you must first obtain permission from your parents. According to the letter of the law, impersonal information is also relevant. In practice, the adoption of COPPA resulted in the prohibition of children of this age registering on most websites – no one needs unnecessary problems. Well, targeting of advertising becomes, to put it mildly, difficult.
- Disney, on the other hand, claims that they have a powerful COPPA compliance program, and the plaintiff does not specifically understand the principles of this law. In general, the office is not going to refuse without a fight targeting advertising for kids.
Juniper found serious vulnerabilities in the hardware
Having looked at how the researchers are festering with Cisco, hoping to find holes in their devices, Juniper played in advance, notifying the world of a serious bug in its products. There, it turns out, there is a serious vulnerability in the GD library from PHP version 4.3 and higher. The library is graphical, but the bug is critical because it allows you to command the device without authentication.
- The problem consists in incorrect work with integers with a sign in libgd 2.1.1, which can lead to overflow of the dynamic area when processing compressed gd2-data. As a result, the attacker will be able to execute arbitrary commands or cause a denial of service condition.
In fact, the bug is very stale, the problem in libgd 2.1.1 was discovered a year ago, and HP Enterprise, Red Hat, Fedora, and Debian have long been patched. Here Juniper pulled themselves up. Better, of course, late than never.
- To users of vulnerable devices, and it is routers of series T and MAX, and also switches of four models, advice to update a software. Alternatively, you can disable all services that use PHP scripts, such as J-Web and XNM-SSL. And still, use access lists (in any incomprehensible situation use access lists).