A ‘security researcher’ accused of unethical activity through the alleged hijack of a popular open source project insists that their actions were not malicious.
Last week, as previously reported by The Daily Swig, social media users alerted the Python Package Index (PyPI) repository to a potentially malicious or hijacked package, CTX.
On May 22, Reddit user SocketPuppets promoted the package online, claiming it had received an update after lying dormant for roughly eight years.
The CTX Python library was available on both GitHub and PyPI. However, it wasn’t long before participants on a Reddit thread highlighted that the GitHub package had not been updated at the same time as the PyPI repository.
To make matters worse, the individual responsible also allegedly compromised a different package, phpass.
Indian hacker Somdev Sangwan said: “Python’s CTX library and a fork of PHP’s phpass have been compromised.’
Domain takeover
With an estimated three million downloads combined, the Python packages had been tampered with to send environmental variables – such as AWS keys – to an external URL leading to a Heroku app.
Once alerted to the anomaly, PyPI removed the CTX package, explaining that the exfiltration method had been added after a perpetrator purchased a domain name for the expired email address used by the original developer, sent themselves a recovery password, and took over the account.
Users who installed the package between May 14 and May 22, 2022, may have had linked environmental variables and credentials compromised.
SocketPuppets (account since deleted) tried to defend their actions, claiming the unusual activity was due to a “new company account”.
The individual accused of the activity, then published a Medium blog post to share their “side of the story”.
“All this research DOES NOT contain any malicious activity,” Aydin said. “I want to show how this simple attack affects +10M users and companies. ALL THE DATA THAT I RECEIVED IS DELETED AND NOT USED.”
‘Never responsibly disclosed’
According to Aydin, a ‘scraper tool’ and a bot were used to take over the packages. It cost $5 to register the expired domain.
Aydin added that he sent a report to the bug bounty platform HackerOne on May 15 that was closed as a duplicate a day later.
Their HackerOne profile does not appear to show an associated bug report.
Speaking to The Daily Swig, Sangwan said that the vulnerability “was never responsibly disclosed”, and “this was an actual attack”.
Sangwan added: “After taking over the package, the attacker posted about it on Reddit… and when other users started getting suspicious and I discovered another package they had compromised. The attacker came out and claimed that he did it for ‘research’.
“Replacing a popular software with a backdoored version that steals password[s] of people is anything but research.”
