JFrog uncovers critical Python vulnerability

DevOps and security software company JFrog has warned it has uncovered a high-severity security vulnerability affecting the popular Python ecosystem that threatened to cause a severe supply chain attack.

Using binary-level scanning, JFrog security experts discovered an accidentally leaked software token that can grant unrestricted access to GitHub repositories of Python and PyPI. The token, which was leaked in a public Docker container hosted on the Docker Hub, could have granted malicious actors access to all of Python’s, PyPI’s and Python Software Foundation’s repositories. This could have been used to conduct supply chain attacks including hiding malicious code in CPython, a repository for some of the basic libraries at the core of the Python programming language, which could have spread the backdoor to tens of millions of machines worldwide.

Alternatively, inserting malicious code into the code used to manage the PyPI packet manager could have granted backdoor access to PyPI’s storage, allowing attackers to manipulate popular PyPI packages to even replace them altogether.

Instead, JFrog researchers immediately informed the PyPI security team about the leak and the token was revoked in just 17 minutes, before it could be actively exploited.

But in a blog post, JFrog Security Researcher Andrey Polkovnichenko, JFrog Malware Research Team Leader Brian Moussalli and JFrog Senior Director for Security Research Shachar Menashe said the incident highlights the need to take care while working with access tokens.

The incident demonstrates that scanning for secrets in source code and even text-based files is not enough to prevent the leakage of source code secrets, they said. Instead, binary scanning can help uncover leaked secrets that these methods miss. It is also important that tokens only provide access to the resources required by the application using it.

Image credit: iStock.com/traffic_analyzer