{"id":3420,"date":"2021-10-13T18:35:02","date_gmt":"2021-10-13T13:05:02","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=3420"},"modified":"2021-10-13T18:35:05","modified_gmt":"2021-10-13T13:05:05","slug":"how-does-pypi-eliminate-mitmproxy2-over-code-execution-concerns","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/how-does-pypi-eliminate-mitmproxy2-over-code-execution-concerns\/","title":{"rendered":"How does PyPI eliminate \u2018mitmproxy2\u2019 over Code Execution Concerns?"},"content":{"rendered":"\n
The PyPI repository has removed a Python package called \u2018mitmproxy2\u2019 that was an identical copy of the official \u201cmitmproxy\u201d library, but with \u201cartificially introduced\u201d code execution vulnerability. The form \u2018mitmproxy\u2019 Python library is a free and open-source interactive HTTPS proxy with over 40,000 weekly downloads.<\/p><\/p>\n\n\n\n
Copycat Package could mislead devs into Falling for \u2018advance\u2019 versions<\/strong><\/h2>\n\n\n\n
Previously, Maximilian Hils, who is one of the developers behind the \u2018mitmproxy\u2019 Python library, drew everyone\u2019s attention towards a counterfeit \u2018mitmproxy2\u2019 package uploaded to PyPI. \u2018mitmproxy2\u2019 is necessary \u201cthe same as regular mitmproxy but with an artificial RCE vulnerability included.\u201d<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
Hils\u2019 main concern as he explained to our experts, was that some software developers might mistake \u2018mitmproxy2\u2019 as an advanced version\u201d of \u2018mitmproxy\u2019 and inadvertently introduced insecure code in their applications.<\/p><\/p>\n\n\n\n
Hils discovers this copycat package in what he calls a \u201chappy little accident\u201d while seeking into an unrelated PyPI warehouse concern.<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
On examining the differences between \u2018mitmproxy2\u2019 and his \u2018mitmproxy,\u2019 something important stood out. The former had all the safeguards removed from the API: <\/p><\/p>\n\n\n\n
“When you run mitmproxy’s web interface, we expose an HTTP API for that. If you remove all safeguards from that API, everyone on the same network can execute code on your machine with a single HTTP request,” Hils told our experts.<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
It isn’t clear either if the user who published the copycat ‘mitmproxy2’ package did so with willful malicious intent or just out of insecure coding practices.<\/p><\/p>\n\n\n\n
“To be clear, this really isn’t the most malicious thing an attacker could do. It would be much more straightforward to just add some malicious code that gets executed on install right away.”<\/p><\/p>\n\n\n\n
“The problem is of course if you upload that to PyPI as ‘mitmproxy2’ with a version number that indicates it’s newer\/a successor, people will inevitably download that not knowing about the changes.”<\/p><\/p>\n\n\n\n
Hils thanked PyPI volunteers for swiftly reacting to this report. Within four hours of Hils’ tweet, ‘mitmproxy2’ was taken down.<\/p><\/p>\n\n\n\n
Whack-a-mole: another Copycat Comes an hours later<\/strong><\/h2>\n\n\n\n
While analyzing ‘mitmproxy2’, our experts discovered another package ‘mitmproxy-iframe’ had appeared on the PyPI registry, less than a day after ‘mitmproxy2’ was removed.<\/p><\/p>\n\n\n\n
Once again, this package is a replica of the official mitmproxy, but with the aforementioned safeguards removed from the “app.py” file, as seen by our experts.<\/p><\/p>\n\n\n\n
Interestingly, mitmproxy-iframe is also published by the same user, who is behind ‘mitmproxy2’, nowcasting doubts on what the user’s intentions are:<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
Because anyone can publish packages to open-source ecosystems, security threats and attacks like malware injection, typosquatting, brandjacking, and dependency confusion have increased rapidly in recent times.<\/p><\/p>\n\n\n\n
Unless concrete validations are put in place by open-source registries, these “whack-a-mole” situations are bound to repeat themselves. Our experts alerted PyPI of the ‘mitmproxy-iframe’ package before publishing and the package was taken down.<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"
The PyPI repository has removed a Python package called \u2018mitmproxy2\u2019 that was an identical copy of the official \u201cmitmproxy\u201d library, but with \u201cartificially introduced\u201d code execution vulnerability. The form \u2018mitmproxy\u2019 Python library is a free and open-source interactive HTTPS proxy with over 40,000 weekly downloads. Copycat Package could mislead devs into Falling for \u2018advance\u2019 versions […]<\/p>\n","protected":false},"author":2,"featured_media":3426,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"yoast_head":"\n
How does PyPI eliminate \u2018mitmproxy2\u2019 over Code Execution Concerns? - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/how-does-pypi-eliminate-mitmproxy2-over-code-execution-concerns\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How does PyPI eliminate \u2018mitmproxy2\u2019 over Code Execution Concerns? - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"The PyPI repository has removed a Python package called \u2018mitmproxy2\u2019 that was an identical copy of the official \u201cmitmproxy\u201d library, but with \u201cartificially introduced\u201d code execution vulnerability. The form \u2018mitmproxy\u2019 Python library is a free and open-source interactive HTTPS proxy with over 40,000 weekly downloads. Copycat Package could mislead devs into Falling for \u2018advance\u2019 versions […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/how-does-pypi-eliminate-mitmproxy2-over-code-execution-concerns\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-10-13T13:05:02+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-10-13T13:05:05+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/10\/How-PyPI-eliminate-\u2018mitmproxy2-over-Code-Execution-Concerns-featured-image.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/how-does-pypi-eliminate-mitmproxy2-over-code-execution-concerns\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/how-does-pypi-eliminate-mitmproxy2-over-code-execution-concerns\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"How does PyPI eliminate \u2018mitmproxy2\u2019 over Code Execution Concerns?\",\"datePublished\":\"2021-10-13T13:05:02+00:00\",\"dateModified\":\"2021-10-13T13:05:05+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/how-does-pypi-eliminate-mitmproxy2-over-code-execution-concerns\/\"},\"wordCount\":480,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Vulnerabilities\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/how-does-pypi-eliminate-mitmproxy2-over-code-execution-concerns\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/how-does-pypi-eliminate-mitmproxy2-over-code-execution-concerns\/\",\"url\":\"https:\/\/xiarch.com\/blog\/how-does-pypi-eliminate-mitmproxy2-over-code-execution-concerns\/\",\"name\":\"How does PyPI eliminate \u2018mitmproxy2\u2019 over Code Execution Concerns? - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-10-13T13:05:02+00:00\",\"dateModified\":\"2021-10-13T13:05:05+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/how-does-pypi-eliminate-mitmproxy2-over-code-execution-concerns\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/how-does-pypi-eliminate-mitmproxy2-over-code-execution-concerns\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/how-does-pypi-eliminate-mitmproxy2-over-code-execution-concerns\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How does PyPI eliminate \u2018mitmproxy2\u2019 over Code Execution Concerns?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How does PyPI eliminate \u2018mitmproxy2\u2019 over Code Execution Concerns? - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/how-does-pypi-eliminate-mitmproxy2-over-code-execution-concerns\/","og_locale":"en_US","og_type":"article","og_title":"How does PyPI eliminate \u2018mitmproxy2\u2019 over Code Execution Concerns? - Xiarch Solutions Private Limited","og_description":"The PyPI repository has removed a Python package called \u2018mitmproxy2\u2019 that was an identical copy of the official \u201cmitmproxy\u201d library, but with \u201cartificially introduced\u201d code execution vulnerability. The form \u2018mitmproxy\u2019 Python library is a free and open-source interactive HTTPS proxy with over 40,000 weekly downloads. Copycat Package could mislead devs into Falling for \u2018advance\u2019 versions […]","og_url":"https:\/\/xiarch.com\/blog\/how-does-pypi-eliminate-mitmproxy2-over-code-execution-concerns\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-10-13T13:05:02+00:00","article_modified_time":"2021-10-13T13:05:05+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/10\/How-PyPI-eliminate-\u2018mitmproxy2-over-Code-Execution-Concerns-featured-image.png","type":"image\/png"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/how-does-pypi-eliminate-mitmproxy2-over-code-execution-concerns\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/how-does-pypi-eliminate-mitmproxy2-over-code-execution-concerns\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"How does PyPI eliminate \u2018mitmproxy2\u2019 over Code Execution Concerns?","datePublished":"2021-10-13T13:05:02+00:00","dateModified":"2021-10-13T13:05:05+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/how-does-pypi-eliminate-mitmproxy2-over-code-execution-concerns\/"},"wordCount":480,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Vulnerabilities"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/how-does-pypi-eliminate-mitmproxy2-over-code-execution-concerns\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/how-does-pypi-eliminate-mitmproxy2-over-code-execution-concerns\/","url":"https:\/\/xiarch.com\/blog\/how-does-pypi-eliminate-mitmproxy2-over-code-execution-concerns\/","name":"How does PyPI eliminate \u2018mitmproxy2\u2019 over Code Execution Concerns? - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-10-13T13:05:02+00:00","dateModified":"2021-10-13T13:05:05+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/how-does-pypi-eliminate-mitmproxy2-over-code-execution-concerns\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/how-does-pypi-eliminate-mitmproxy2-over-code-execution-concerns\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/how-does-pypi-eliminate-mitmproxy2-over-code-execution-concerns\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"How does PyPI eliminate \u2018mitmproxy2\u2019 over Code Execution Concerns?"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3420"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=3420"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3420\/revisions"}],"predecessor-version":[{"id":3427,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3420\/revisions\/3427"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/3426"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=3420"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=3420"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=3420"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"How-PyPI-eliminate-\u2018mitmproxy2\u2019-over-Code-Execution-Concerns-image1\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/10\/How-PyPI-eliminate-\u2018mitmproxy2-over-Code-Execution-Concerns-image1.png\")
<\/figure><\/div>\n\n\n\n![\"How-PyPI-eliminate-\u2018mitmproxy2\u2019-over-Code-Execution-Concerns-image2\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/10\/How-PyPI-eliminate-\u2018mitmproxy2-over-Code-Execution-Concerns-image2-1024x825.jpg\")
<\/figure><\/div>\n\n\n\n![\"How-PyPI-eliminate-\u2018mitmproxy2\u2019-over-Code-Execution-Concerns-image3\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/10\/How-PyPI-eliminate-\u2018mitmproxy2-over-Code-Execution-Concerns-image4-1024x383.jpg\")
<\/figure><\/div>\n\n\n\n![\"How-PyPI-eliminate-\u2018mitmproxy2\u2019-over-Code-Execution-Concerns-image3\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/10\/How-PyPI-eliminate-\u2018mitmproxy2-over-Code-Execution-Concerns-image3-1024x563.jpg\")
<\/figure><\/div>\n\n\n\n