jspm install and github rate limiting

It has come to our attention (thanks to @michielcornille!) that some developers, probably unknowingly publish their username and password to the world. This is dangerous.

Using this information, people with ill intentions can:

  • Delete your account, or do anything else for that matter.
  • Login on your other accounts (logged in on heroku? your production environment is now vulnerable).
  • Login on other systems using the same credentials (people still don’t use different passwords on different sites).
  • Modify code and inject malware into existing repositories without you knowing.

An example of this, used in our own repository can be found here.

In our case, it’s a readonly access token. But some use their github username and password instead. for obvious reasons, I will not be linking to examples in this post.

This is usually done by developers due to github’s rate-limiting on api requests, which occurs for example when working with JSPM. There’s nothing wrong with using a token, provided you’re careful.

What can I do?

If you already have your username and password on github, change your password. It’s in version control now, and people have it.

If you’re using an access token, check the permissions. Anyone can use your token, and if it has too many permissions, you’re now vulnerable. You can safely change the permissions without breaking the token itself.

  1. Always use 2FA. Read more about it here. This makes sure that even if someone gets your login credentials, they can’t do anything.
  2. Don’t put your credentials on github. Not even base64 encoded (that can just be decoded). Instead, take one of the alternative approaches (for instance environment variables).
  3. When creating access tokens for your account, give it the minimal permissions required.

Please share this article with anyone you might think is vulnerable for this.

Thanks for reading,

happy coding!