Python team fixes bug that allowed takeover of PyPI repository
Catalin Cimpanu July 30, 2021

Python team fixes bug that allowed takeover of PyPI repository

Python team fixes bug that allowed takeover of PyPI repository

The Python security team has fixed today three vulnerabilities impacting the Python Package Index (PyPI), the official repository for Python libraries, including one that could have allowed a threat actor to take full control over the portal.

The three vulnerabilities were discovered by Japanese security researcher RyotaK, the same who earlier this month found a bug in Cloudflare’s CDNJS service that could have allowed a third party to run malicious code on roughly 12% of today’s websites.

In a new report published today, RyotaK said he analyzed PyPI, a web portal that serves as an official package index and repository for Python libraries. The site is basically a database, which works in conjunction with the official Python pip package installer, and allows developers and amateur programmers to easily search and install Python components for their projects.

In tune with the Python Software Foundation’s mantra, the source code of the PyPI service is also available on GitHub. By analyzing this public codebase, RyotaK said he found three bugs that could be exploited to:

Of the three, RyotaK described the first two as low-impact vulnerabilities that could “only be used for harassment at best.”

However, a third bug was a critical issue as attackers could run commands on the PyPI’s infrastructure to gather tokens or other secrets from the codebase that an attacker could later use to access and modify the PyPI code itself.

“I could modify top page of pypi.org,” the researcher told The Record in an interview earlier today.

“It was [also] possible to modify the contents of packages, as pypa/warehouse contains a code for it,” he added.

The Python Software Foundation has awarded the researcher $1,000 for each of his bug reports, along with a public acknowledgment of his work.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.