eCommerce Security Breach and What it Means for Your Code

Part 1: HauteLook Account Abandonment from GitHub

Between September 2021 and May 2022, the Nordstrom-owned clothing brand named HauteLook closed their GitHub account. They had been receding from the open-source community.  

In September 2021 they zapped their popular AliceBundle repo without a word.  

On May 15^th, 2022 the GitHub username HauteLook was registered, again, by an interested third party.

It means that the new owner of the GitHub account could act on behalf of the deleted account.

Part 2: FigLeif’s Domain Squatting

The open-source developer FigLeif (the name sounds like a typo-squatting) was stale between July 2020 and May 2022. He had developed and maintained the CTX python package, which affords python developers the syntactic sugar of addressing data structure elements in efficient attribute-access notation (i.e. foo.bar.baz) rather than the cumbersome item-access notation (i.e. foo["bar"]["baz"]) functionality which may seem frivolous to the uninitiated, but try typing all those brackets and quotes sometime - your pinkies will hate you for it ;-)

FigLeif's email domain expired in August 2021 but was reregistered by the same interested third party from Part 1 above.

Part 3: Recreating a Retired Repo, Exposing a GitHub Vulnerability

The same interested third party cleverly recreated retired repos of CTX and HauteLook's most prominent repo, a sadly named password hashing library, PHPass.  

GitHub has a security control to prevent the creation of repository names that are equivalent to retired repository names, but the new owner of the FigLeif and HauteLook orgs found a bypass for it: change your username to something other than the previous owner of the repository >> create a repository with the name of the retired repository >> change the username back to the previous owner.

Having done this, the interested party, a security researcher and college student named Yunus Aydin, blogged about the attack and posted it to his LinkedIn.

Part 4: Push Malicious Code to the GitHub Repositories CTX and PHPass

Yunus modified the packages so that any time they run, the AWS environment variables are sent to an Heroku-hosted app Yunus controlled.

This is dangerous because many applications, especially cloud hosted and containerized ones, store sensitive secrets in environment variables.

Part 5: Upload CTX to PyPi from FigLeif’s Account

Since Yunus managed to take over FigLeif’s domain, he managed reset the password to PyPi, which followed by uploading the malicious package to PyPi on May 14.

Part 6: A Random Search on GitHub Identified PHPass

The security researcher, Somdev, found additional instance of the same by running a GitHub search. Thank you!

Do NOT Blame Open-Source Contributors

All open-source software needs a succession plan for when their maintainers move on. Building a successful, stable, useful library is surprisingly thankless. Both PHPass and CTX hadn't been touched in years and hadn't needed it. Their developers can't be blamed for losing interest.

Conclusion: What Can You Do To Strengthen Your Organization's Supply Chain Security?

• Lock all used package versions. If a dependency management system is in use, such as Poetry or Pipenv, use poetry.lock and Pipfile.lock respectively.  
• If you maintain open-source projects, make sure MFA is enforced. Don’t use email as the 2^nd factor.
• Set your domain registration to auto-renew.
• To avoid pushing malicious code by other contributors to your open-source project, maintain a CODEOWNERS file to enforce reviews of PRs. Based on our research, it also increases the quality of your code. We can automatically generate and maintain CODEOWNERS files for you.