The developers behind Python’s Package Index (Pypi) recently disclosed safety issues related to the implementation of the “Organization Team” function, which allows multiple developers to collaborate on a Pypi project. The identified problem revolved around the fact that privileges granted to a user as part of the Organization Team were not revoked upon the user’s removal from the organization. Pypi swiftly addressed this vulnerability within 2 hours of it being reported. Fortunately, no unauthorized activities were detected stemming from the retention of access rights.
Similarly, the team managing the Crates.io repository, which hosts packages for the Rust programming language, revealed a security incident of their own. Within the infrastructure of Crates.io, backend errors triggered the transmission of data pertaining to ongoing queries at the time of the incident to a monitoring service called Sentry. One concerning detail was the inclusion of a field containing the “Cargo_SESSION” Cookie, serving as a user session identifier. Possession of this key could potentially allow an external party to manipulate actions within an active user session.
The monitoring server Sentry is accessible only to select teams overseeing the project infrastructure and the Crates.io repository, individuals who already possess elevated access to Crates.io’s operational servers. Investigations revealed that the session keys present in the logs were not exploited. Following the resolution of the security lapse, all instances of these cookies within Sentry’s event logs were promptly removed, and active user sessions were duly terminated.