from Hacker News

Typosquatting programming language package managers

by xrstf on 6/8/16, 1:45 PM with 143 comments

by wbond on 6/8/16, 3:58 PM
We've gotten flack from package developers submitting new packages to Package Control [0] because all additions to the default channel are hand reviewed. Part of this process is to prevent accidentally close package names, to try and encourage collaboration and to encourage developers to actually explain what their package does and how to use it.
My hope is to be automating a large amount of the review in the next few months, however I think this is a good argument for never having it be fully automatic. Having a human sanity check submissions isn't a terrible idea if we can keep the workload down.
Certainly this doesn't prevent a malicious author from posting a legitimate package and then changing the contents to be malicious, but that can be somewhat solved by turning off automatic updates.
[0] https://packagecontrol.io
by Mahn on 6/8/16, 3:56 PM
> In the thesis itself, several powerful methods to defend against typo squatting attacks are discussed. Therefore they are not included in this blog post.
http://incolumitas.com/data/thesis.pdf section 5 "Practical implications". Just wanted to point out that in case you skipped it it's worth a read, some interesting proposals there that are worth discussing with package manager maintainers.
I particularly like the preemptive approach of auto-blacklisting common typos by simply monitoring the number of times a specific unexisting package is requested over time (5.10). So if a lot of people regularly attempt to install the unexisting package "reqeusts", it could signal that it's a common typo and should be blacklisted to prevent malicious use in the future. False positives could always be sorted out manually by communicating with the package manager maintainers.
by zeveb on 6/8/16, 3:01 PM
Reminds me of the quote, 'there are only two hard things in computer science: naming things, cache invalidation and off-by-one errors.'
I think that this clearly falls under the heading 'naming issue.' People know what they want, but do not enter it properly.
I can't think of a 100% off-hand, which isn't surprising, because it's a hard problem.
pmontra's suggestion to use typo blacklisting ain't a bad idea. Maybe some sort of reputation-per-name could help?
by szx on 6/8/16, 3:29 PM
When you think about it, how different is the destructive potential of an npm/pip install from curl | bash that (some) people tend to froth at the mouth about?
It's pretty mind blowing how big of a blindspot package installers are. I guess running everything inside a e.g. Docker container/VM would be a partial interim solution for the paranoid?
by eudox on 6/8/16, 3:00 PM
I'm a fan of the approach of personally submitting projects to the repository maintainer (e.g. through GitHub issues), and having the maintainer personally approve them.
It does raise the barrier to entry, but it would prevent typosquatting and regular namesquatting.
EDIT: Does any major package manager provide a "did you mean" functionality, offering a list of actual package names similar to what you typed?
by baby on 6/8/16, 3:21 PM
After watching this awesome Defcon talk https://www.youtube.com/watch?v=YqxaKGA9Lnc I wondered if there was any use cases for bit/typo squating in crypto. This is a pretty cool one! Not crypto but interesting none-the-less :)
by pmontra on 6/8/16, 2:47 PM
Probably the maintainers of the package managers know which typos their users do, because of the 404s in the logs or equivalent errors. A preventive action could be starting to blacklist any name resolving to 404. If somebody eventually tries to upload a package in the blacklist, a maintainer should check the code and whitelist the name. Obviously people can be very crative with typos and with squattinq and there is no real protection against mistakes.
by Mizza on 6/8/16, 3:22 PM
This seems like pretty unethical research to me.
Also, doesn't point out that the bigger threat is that this is wormable.
by PeterisP on 6/8/16, 3:45 PM
Part of the problem is the many packages that require sudo permissions to install - IMHO that should be an exceptional case, but it isn't.
by cormacrelf on 6/8/16, 3:53 PM
And 'npmjs.org' is misspelled as 'npmsjs.org' in the introduction. Nice.
by nichochar on 6/8/16, 3:02 PM
Wow, this a very good study and explanation of what typo squatting is, and I really liked how he proved it's effectiveness.
I wonder what kind of steps we can take to prevent this risk.
by ysavir on 6/8/16, 4:56 PM
Instead of blacklisting, why not respond with a "You requested package ABD, but we think you might mean package ABC. Enter 'yes' to continue or anything else to start over."
That way authors can continue to use any name they want, and the emphasis is on letting installers know that they might be installing the wrong package.
by zmanian on 6/8/16, 8:15 PM
We need operating system vendors to give us a mechanism for easily creating and managed sandboxed dev environments.
Ones dev environment should be a place where remote code execution is a high probablity and we need better tools to partition that from high value data.
by airless_bar on 6/8/16, 4:01 PM
This only seems to be an issue for languages where packages reside in a global namespace, like Python, Rust etc.
I think most languages these days are a bit smarter and avoid this beginner mistake (for various reasons).
by bennofs on 6/8/16, 3:30 PM
Did anyone else find it surprising the the number of total requests (45334) is so much higher than the number of unique total requests (17289)? It is more than twice the number of unique requests!
Possible explainations:
* Perhaps many of those are automated build systems, which would also explain the high number of systems with admin access (for example, if you use travis without docker, every build runs in a clean vm with admin access).
* People download one package and install it multiple times? Seems unlikely
Any other ideas?
by mirekrusin on 6/8/16, 4:51 PM
with npm there should be at least an option which prompts for Y/N/A when package has preinstall hook.
but even this just tries to put the problem under carpet. you could still for example have requests package which just installs request package, works as expected, just sends request/response to your own server from time to time. ie. when there's http basic auth used only.
by mbroshi on 6/8/16, 5:01 PM
Maybe this is overly naive, but when I make a typo in the Google search bar, it doesn't even search for my typo-ed term (even if it would have gotten some hits), it searches for what I actually meant to type. Can't package managers have a similar feature?
by ryanmarsh on 6/8/16, 2:56 PM
So last week my client discovered there's a gem named bunlder... sigh
by jogjayr on 6/8/16, 10:21 PM
I thank my stars every time I get a "Package not found" error due to a typo, because I'm reminded that it could have been much worse.
by jwilk on 6/9/16, 12:19 PM
Trying to parse the title made my head hurt. It should be "Typosquatting software package names" or something.
by tbrock on 6/8/16, 6:52 PM
The homebrew model where packages and changes to packages are reviewed takes care of this problem quite nicely.
by andrewstuart on 6/9/16, 12:16 AM
Ouch. This really hurts. So hard to protect against human error.
by sheerun on 6/8/16, 5:49 PM
Glad to hear bower is stated to be safe in this regard :)
by irremediable on 6/8/16, 3:08 PM
Really cool applied research. If I get the time, I'll check out the author's thesis.
by optimuspaul on 6/8/16, 3:31 PM
I'm confused.. is it 17 computers or 17000 computers? inconsistent use of decimals in this article.