> Their response seemed to indicate that the account was flagged due to previous issues sending emails, which would be expected with the domain having expired.
It's entirely possible that the domain could have been re-registered long before their next attempt to send an email to it.
I wonder if it's safer (and plausible) to run a daily whois audit job for all maintainer email domains and block anything that enters the redemptionPeriod status?
Agreed.
I get where it comes from, npm isn't responsible for individual contributors getting social-engineered, but this is much deeper than that, and part of the flaw is with npm's support allowing the password reset to go through.
https://github.com/oskarsve/ms-teams-rce/blob/main/README.md
This problem is likely common to every public registry. Even if the registry doesn't publish e-mail addresses, it's often easy to work them out from other sources, so attackers can build up a list of targets relatively easily.
It seems like a hard one to solve for well. Mostly the registry will only know an author by their e-mail account, so if that's compromised it could be hard to tell the difference between the author genuinely losing their creds and an attacker who has taken over the domain.
Not necessarily, it depends on what kind of authentication you are using. For example a Google account has a unique OAuth ID, and if your GSuite/Workplace/whatever account expires, and you recreate it again (regardless of the domain expiry/transfer in-between), the OAuth flow will present a new ID alongside the email address.
Dart/Flutter's package manager pub.dev uses Google accounts as authentication and has this extra OAuth ID check to prevent hostile ownership takeovers.
Disclaimer: I'm contributor to pub.dev
The safest option here would be to create an orphan package, but that has some usuability concerns (will people realise it's orphaned and update accordingly)
(There was no 2FA enabled)
(I think the "email address doesn't work, so disabled sending to it" theory sounds more plausible actually :-))
Auto-flagging every push from an account for a while after a password reset
Automatically scanning code of frequently downloaded packages for unusual changes (like: adding a postinstall script, contacting a new server in the postinstall script, obfuscated code, near-total rewrite of the code, inclusion of cryptomining, access of sensitive files like /etc/passwd or /etc/sudoers).
The vagueness of the statement suggests to me they're talking about their defense-in-depth and have never thought about this specific route to account takeover before.
The only proper way to handle that is to ask for national IDs, full names, document numbers. And in case of uncertainty ask photo with those docs and have human support to check it. Of course it should not be required, but just show some kind of "verified" label for those people, that might be enough to push people.
This high level point really irritates me. What if your let your domain expire? What if your domain is hijacked? This applies to EVERYONE doing ANYTHING online with their own domain name - aka every business. What if you let your email account get hacked? What if you stop logging into your gmail account and they deactivate it for inactivity?
At the end of the day there are a hundred ways your accounts can have issues, if you don't care. If you don't pay attention. If you don't set up the proper alerting. Custom domains are not magically worse than using a gmail account.
As a normal, non-business, person... The longest running domain I've had was registered in 2005. It is still setup to receive email and works reliably, as it has done so for the last 17 years. Yes, it's been through several different email services in that time - but because I care about it I make sure it keeps working.
Did their form say what wasn't liked about your domain? I'm curious because I remember a time, you may as well, when lots of account forms only accepted domains from known residential ISPs and would try to guess domains used by freemail providers.
These days, I'm curious why a group like QT would care.
I don’t think he’s attacking the character or intelligence of people who use custom domains, he’s pointing out a gotcha that they may not be aware of.
Indeed, a developer should understand the risks and benefits associated with using an email address on domains they control vs. domains someone else controls.
Too bad the article doesn't make that point.
(Seems obvious to me that a domain you control is less risky since the mitigations are relatively straight-forward and reliable, while for a domain you don't control, you really don't have any reliable mitigations if the domain owner decides to shut you down. Not to mention that a third-party domain also has the risk of expiring or being highjacked. A third-party domain only makes sense if you want to trade risk for dollars: a cheaper or free email address for a greater risk of losing control of the email address.)
That’s a feature, not a bug. This is what allows you to take full ownership of your online identity.
If you use @gmail.com or another address where you rent the address-space, someone else can at a random whim completely erase or compromise all your things and accounts everywhere.
Is the author here really pitching that as a good thing(tm)?
Not with the “additional” caveat. That’s the only caveat, and it’s a simple, understandable and known risk.
Using gmail.com or whatever puts you in a situation where the risks are numerous and unknown, and as a non-paying freeloader you get nothing to say in how access to your digital identity is managed.
If you care about your digital identity, there’s literally only one obvious answer.
> maintainers: and array of objects containing author objects as listed in package.json
> author: object with name, email, and or url of author as listed in package.json
However, the email address against the user's profile gets listed even if your package.json does not contain an email address.
Example: https://registry.npmjs.org/leftpad/
Tom MacWright's email - https://registry.npmjs.org/leftpad/
If you point a DNS entry to a Github page and then delete the page without deleting the entry on you DNS table someone can create a new page with the same name and hijack your DNS entry for malicious purposes.
I've written to Github already about this, if they want to let you point your DNS to the page they should give you a unique entry to point to, so that if it is recreated in the future your entry will not point to the new page. Not asking you to point to the public page name that can be taken over.
They never replied...
I just don't understand why taking so long to fix this, and why they fixed it in such a complicated fashion when it's a really basic use case with a simple and straightforward solution that adds no burden to the end user.
All actors should take care of security, you should expect people to make mistakes especially if you're as big as Github. Your take on security is like talking about law and justice with a cowboy.
I really wish the USPS would get into managing digital identity, or at the very least, attack the lowest of hanging fruits: assign everyone[1] an email address that won't suddenly be closed for ToS violation on a domain that won't expire in anyone's lifetime. Lost your password/authenticator? Walk into a post office with your government issued identity.
Cleverer people than I am should be able to figure out how to create anonymous identities from your official one and have them linked unidirectionally, i.e. Alice can voluntarily prove she owns/created the Alana identity, but it's otherwise computationally impossible/expensive to do the reverse (unmask Alice from just the Alana pseudo ID)
0. Losing access to a mailbox means losing access to account recovery functionality, and mailbox takeovers result in TFA.
1. This is US-centric, but hopefully an international standard may be set, so that governments or delegated authorities are responsible for basic online identity; just like the way TLD's are managed
It’s just like using Slack: you think you’re saving time because of the immediacy, but wind up paying the price down the line because 1 person can save N people time with threaded asynchronous stuff.
Others have said this as well: https://news.ycombinator.com/item?id=15272394
Like all tools used by humans, package managers are used for great good, and terrible evil. The great good (from a security point of view) is that we can distribute new features and patches quickly and freely. The bad: we can distribute nefarious code just as easily.
> Or just write it yourself.
Writing code is how bugs are created. Often popular libraries are much more robust and secure than bespoke code. Sometimes they are not.
> Learn what your code base does.
Great advice.
"Wild-west"-style package managers (more specifically, their repos) are a big security risk.
It's possible to have far more confidence in "maintained" packaging repositories.
The other place where this potentially matters is CAs issuing TLS certificates for domains that expire before the certificate does. If they detect that a domain they have issued a certificate for has been subsequently registered by a new entity, they should revoke the old certificate.
1) Permanently lock them out of their account. Not a good customer experience and problematic in this setup (orphaned libraries)
2) Written "back-up codes", fine in theory but I'd guess a decent proportion of them are not well managed
3) Fall-back to manual verification (e.g. phone call establishing secondary information). Expensive and error prone.
