I-GitHub ipapashe iziphumo zohlalutyo lohlaselo, ngenxa yoko ngo-Ephreli 12, abahlaseli bafumana ukufikelela kwiindawo zefu kwinkonzo ye-Amazon AWS esetyenziswe kwiziseko zeprojekthi ye-NPM. Uhlalutyo lwesiganeko lubonise ukuba abahlaseli bafumana ukufikelela kwiikopi ezigciniweyo zomgcini we-skimdb.npmjs.com, kuquka i-backup yedatha eneziqinisekiso malunga ne-100 lamawaka abasebenzisi be-NPM ukususela ngo-2015, kubandakanywa i-password hashes, amagama kunye ne-imeyile.
I-password hashes zenziwe kusetyenziswa i-PBKDF2 enetyuwa okanye i-SHA1 algorithms, eyatshintshwa ngo-2017 nge-bcrypt enoburhalarhume obunganyangekiyo. Emva kokuba isiganeko sichongiwe, ii-passwords ezichaphazelekayo zisetyenzisiwe kwaye abasebenzisi baye baziswa ukuba babeke iphasiwedi entsha. Ekubeni ukuqinisekiswa kwezinto ezimbini okunyanzelekileyo kunye nokuqinisekiswa kwe-imeyile kufakwe kwi-NPM ukususela ngo-Matshi 1, umngcipheko wokusetyenziswa kwe-compromise ihlolwe njengento engabalulekanga.
Ukongeza, zonke iifayile ezibonakaliswayo kunye nemetadata yeepakethe zabucala ukusukela ngo-Epreli 2021, iifayile ze-CSV ezinoluhlu oluhlaziyiweyo lwamagama onke kunye neenguqulelo zeepakethe zabucala, kunye nemixholo yazo zonke iipakethe zabucala zabathengi ababini beGitHub (amagama azichazwanga) zawela ezandleni zabahlaseli. Ngokuphathelele indawo yokugcina, uhlalutyo lokulandela umkhondo kunye nokuqinisekiswa kwee-hashes zepakethe akuzange kubonakalise abahlaseli abenza utshintsho kwiiphakheji ze-NPM okanye bapapashe iinguqulelo ezintsha zeepakethi.
Uhlaselo lwenzeka ngo-Epreli 12 kusetyenziswa iithokheni ze-OAuth ezibiweyo ezenzelwe abahlanganisi ababini be-GitHub, i-Heroku kunye ne-Travis-CI. Ukusebenzisa amathokheni, abahlaseli bakwazi ukukhupha kwii-GitHub zabucala zokugcina isitshixo sokufikelela kwi-API yeeNkonzo zeWebhu ye-Amazon, esetyenziswe kwisiseko seprojekthi ye-NPM. Iqhosha lesiphumo livumele ukufikelela kwidatha egcinwe kwinkonzo ye-AWS S3.
Ukongezelela, ulwazi lwabhengezwa malunga neengxaki ezifihliweyo ezichongiweyo ngaphambili xa kusetyenzwa idatha yomsebenzisi kwiiseva ze-NPM - iiphasiwedi zabasebenzisi abathile be-NPM, kunye neethokheni zokufikelela ze-NPM, zigcinwe kwisicatshulwa esicacileyo kwiilogi zangaphakathi. Ngethuba lokudityaniswa kwe-NPM kunye nenkqubo yokungena kwe-GitHub, abaphuhlisi abazange baqinisekise ukuba ulwazi olubucayi lususiwe kwizicelo kwiinkonzo ze-NPM ezibekwe kwilogi. Kutyholwa ukuba isiphene salungiswa kwaye iinkuni zacinywa phambi kohlaselo lwe-NPM. Kuphela ngabasebenzi abathile beGitHub abanokufikelela kwiilogi, ezibandakanya amagama ayimfihlo oluntu.
umthombo: opennet.ru