The project behind the popular Rust programming language has recalled all the API keys from the crates.io package web application.
The keys were revoked after a serious vulnerability arose affecting Rust's package system due to two factors. First, Rust developers learned that the random PostgreSQL function it used to generate API keys or tokens for crates.io was not a "cryptically secure" random generator. number.
"Theoretically, an intruder could observe several random values to determine the internal state of the random generator. number and use this information to identify the API keys generated to the last restart of the database server ", he states.
API keys are used by computers to authenticate a user or computer and to control their access rights.
Second, the Rust project discovered that the API keys for packages were stored in plain text. If intruders violated the database, they would have access to APIs for all current tokens.
The Rust project has now developed a cryptographically secure random number generator and implemented a hashing function to store tokens in the database.
"Exploiting any issue would be unbelievably impossible in practice and we did not find any evidence element that some had taken place invasion. However, for the complete security of all, we chose to revoke all existing API keys ".
Developers who have published crates packages can create a new API key on the crates.io website.
The site crates.io shows that there are over 43.000 crates that have been downloaded collectively over three billion times. Crates are an essential part of language programming Rust. Deno, the possible successor to Node.js, was written in Rust and is considered a collection of crates rather than a monolithic program.
The Rust project seems to have reacted quickly to the report on the vulnerability it received on July 11th. The issue was fixed and the tokens were revoked along with a disclosure notice on July 14th.