MacMusic  |  PcMusic  |  440 Software  |  440 Forums  |  440TV  |  Zicos
python
Recherche

Python GitHub Token Leak Shows Binary Files Can Burn Developers Too

vendredi 12 juillet 2024, 01:20 , par Slashdot
snydeq shares a report from CSO Online, written by Lucian Constantin: A personal GitHub access token with administrative privileges to the official repositories for the Python programming language and the Python Package Index (PyPI) was exposed for over a year. The access token belonged to the Python Software Foundation's director of infrastructure and was accidentally included in a compiled binary file that was published as part of a container image on Docker Hub. The incident shows that scrubbing access tokens from source code only, which some development tools do automatically, is not enough to prevent potential security breaches. Sensitive credentials can also be included in environment variables, configuration files and even binary artifacts as a result of automated build processes and developer mistakes. 'Although we encounter many secrets that are leaked in the same manner, this case was exceptional because it is difficult to overestimate the potential consequences if it had fallen into the wrong hands -- one could supposedly inject malicious code into PyPI packages (imagine replacing all Python packages with malicious ones), and even to the Python language itself,' researchers from security firm JFrog, who found and reported the token, wrote in a report.

Read more of this story at Slashdot.
https://it.slashdot.org/story/24/07/11/218242/python-github-token-leak-shows-binary-files-can-burn-d...

Voir aussi

News copyright owned by their original publishers | Copyright © 2004 - 2024 Zicos / 440Network
Date Actuelle
mar. 5 nov. - 07:54 CET