The security alert:
- Your password wasn’t leaked, but the hash was. Still not great.
- It’s fixed now.
The root problem?
To do login, npm uses the /_users database in couchdb. By default, CouchDB prior to version 1.2.0 makes this database world-readable.
Yet another problem
Latest stable CouchDB release is 1.1.1. And you’ll probably find some more nasty comments in the Hacker News thread.
Captured by Klint Finley from Jan Lehnardt:
For those not ready to upgrade to 1.2.0 CouchDB developer Jan Lehnardt suggests restricting access to /_users with a proxy.
The good news of course is that the CouchDB is changing this default behavior. The bad news is that it took this long for the problem with NPM to be noticed and fixed.
Me: the very bad news is that security is still an after-thought for many NoSQL databases.
Original title and link: CouchDB in Node Package Manager Exposed Password Hashes ( ©myNoSQL)