GitHub ya buga sakamakon bincike na harin, sakamakon wanda a ranar 12 ga Afrilu, maharan sun sami damar yin amfani da yanayin girgije a cikin sabis na Amazon AWS da aka yi amfani da su a cikin kayan aikin NPM. Binciken lamarin ya nuna cewa maharan sun sami damar yin amfani da kwafin kwafi na skimdb.npmjs.com mai masaukin baki, gami da ajiyar bayanai tare da bayanan masu amfani da NPM kusan dubu 100 a shekarar 2015, gami da hashes, sunaye da imel.
An ƙirƙiri hashes na kalmar wucewa ta amfani da PBKDF2 ko SHA1 algorithms, waɗanda aka maye gurbinsu a cikin 2017 ta ƙarin bcrypt mai jure ƙarfi. Da zarar an gano abin da ya faru, an sake saita kalmomin shiga da abin ya shafa kuma an sanar da masu amfani da su saita sabon kalmar sirri. Tunda an haɗa tabbataccen abu biyu na tilas tare da tabbatar da imel a cikin NPM tun daga ranar 1 ga Maris, ana ƙididdige haɗarin sasantawar mai amfani a matsayin mara nauyi.
Bugu da kari, duk bayyananniyar fayiloli da metadata na fakiti masu zaman kansu tun daga watan Afrilu 2021, fayilolin CSV tare da jerin zamani na duk sunaye da sigogin fakiti masu zaman kansu, da kuma abubuwan da ke cikin duk fakiti masu zaman kansu na abokan cinikin GitHub guda biyu (sunaye). ba a bayyana) sun fada hannun maharan. Dangane da ma'ajiyar da kanta, binciken ganowa da tabbatar da hashes na kunshin bai bayyana maharan suna yin canje-canje ga fakitin NPM ba ko buga sabbin fakitin tatsuniyoyi.
An kai harin ne a ranar 12 ga Afrilu ta yin amfani da satacen alamun OAuth da aka samar don masu haɗin gwiwa na ɓangare na uku na GitHub, Heroku da Travis-CI. Yin amfani da alamun, maharan sun sami damar cirewa daga masu zaman kansu na GitHub maɓalli don samun damar API na Sabis na Yanar Gizo na Amazon, wanda aka yi amfani da shi a cikin kayan aikin NPM. Maɓallin da aka samo ya ba da damar samun dama ga bayanan da aka adana a cikin sabis na AWS S3.
Bugu da ƙari, an bayyana bayanai game da matsalolin sirrin da aka gano a baya lokacin sarrafa bayanan mai amfani akan sabar NPM - kalmomin shiga na wasu masu amfani da NPM, da kuma alamun samun damar NPM, an adana su a cikin bayyanannen rubutu a cikin rajistan ayyukan ciki. A lokacin haɗin kai na NPM tare da tsarin shiga na GitHub, masu haɓakawa ba su tabbatar da cewa an cire mahimman bayanai daga buƙatun zuwa ayyukan NPM da aka sanya a cikin log ɗin ba. An yi zargin cewa an gyara kurakuran da aka yi kuma an share gundumomi kafin a kai wa NPM hari. Wasu ma'aikatan GitHub ne kawai suka sami damar shiga rajistan ayyukan, waɗanda suka haɗa da kalmomin shiga na jama'a.
source: budenet.ru