惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Tenable Blog
博客园_首页
Vercel News
Vercel News
WordPress大学
WordPress大学
美团技术团队
G
Google Developers Blog
大猫的无限游戏
大猫的无限游戏
小众软件
小众软件
Y
Y Combinator Blog
博客园 - 【当耐特】
量子位
酷 壳 – CoolShell
酷 壳 – CoolShell
The Cloudflare Blog
T
The Blog of Author Tim Ferriss
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Google DeepMind News
Google DeepMind News
云风的 BLOG
云风的 BLOG
腾讯CDC
M
MIT News - Artificial intelligence
爱范儿
爱范儿
Recent Announcements
Recent Announcements
雷峰网
雷峰网
Last Week in AI
Last Week in AI
宝玉的分享
宝玉的分享
The Register - Security
The Register - Security
Jina AI
Jina AI
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Hugging Face - Blog
Hugging Face - Blog
P
Privacy & Cybersecurity Law Blog
Recorded Future
Recorded Future
Help Net Security
Help Net Security
N
News and Events Feed by Topic
博客园 - Franky
P
Proofpoint News Feed
L
LINUX DO - 热门话题
S
SegmentFault 最新的问题
The GitHub Blog
The GitHub Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
月光博客
月光博客
D
Docker
Google DeepMind News
Google DeepMind News
有赞技术团队
有赞技术团队
IT之家
IT之家
Security Latest
Security Latest
L
LangChain Blog
V
V2EX
阮一峰的网络日志
阮一峰的网络日志
J
Java Code Geeks

Ember.js Blog

Ember 7.0 Released Announcing the Official TypeScript Types Public Preview Accessibility Working Group Update The 2020 Ember Roadmap Countdown to The New Year - Built-in Addons Countdown to The New Year - Ember Exam Countdown to The New Year - Ember Code Snippet Countdown to The New Year - Ember Changeset Countdown to The New Year - Ember In Viewport Countdown to The New Year - Ember CLI Update Countdown to The New Year - Ember Template Invocation Location Countdown to The New Year - Ember CLI TypeScript Countdown to The New Year - Ember Bootstrap and Ember Paper Countdown to The New Year - Ember CSS Modules Countdown to The New Year - Ember Mapbox GL Countdown to The New Year - Ember Shepherd Countdown to The New Year - Ember Template Lint Countdown to The New Year - Ember Composable Helpers Countdown to The New Year - Ember Leaflet Countdown to The New Year - Ember Intl Countdown to The New Year - Ember Test Selectors Countdown to The New Year - Ember Power Select Countdown to The New Year - Ember Simple Auth Countdown to The New Year - Ember SVG Jar Countdown to The New Year - Ember Page Title Countdown to The New Year- Ember A11Y Testing Countdown to The New Year - Ember Angle Brackets Codemod Countdown to The New Year - Ember CLI Sass Countdown to The New Year - Ember Animated Countdown to The New Year - Ember Auto Import Countdown to The New Year - Ember Concurrency Countdown to The New Year - Ember Tether Countdown to The New Year - Ember Modifier Countdown to The New Year - Ember CLI Mirage Countdown to The New Year - Ember Sortable Coming Soon in Ember Octane - Part 5: Glimmer Components Coming Soon in Ember Octane - Part 4: Modifiers Coming Soon in Ember Octane - Part 3: Tracked Properties Coming Soon in Ember Octane - Part 2: Angle Brackets & Named Arguments Preview Weekend: 2019 Ember Community Survey Coming Soon in Ember Octane - Part 1: Native Classes First Annual DecEmber Event! 2018 Ember Community Survey 2017 Ember Community Survey Announcing The Glimmer 2 Alpha Upcoming deprecation of baseURL in Ember CLI 2.7 2016 Ember Community Survey Announcing Ember Core Team Face to Face, January 2016 Ember.js 1.13.0 and 2.0 Beta Released Another Ember 2.x Status Update Ember.js 1.12 and 1.13 Beta (Glimmer!) Released Ember.js 1.11.1 Released Ember.js 1.11.0 and 1.12 Beta Released Ember.js 1.10.0 and 1.11 Beta Released Compiling templates with Ember 1.10 Core Team Meeting Minutes - 2014/08/01 Core Team Meeting Minutes - 2014/08/14 Core Team Meeting Minutes - 2014/09/12 Cleaning Up Github Issues Core Team Meeting Minutes - 2014/07/11 Core Team Meeting Minutes - 2014/07/25 Core Team Meeting Minutes - 2014/06/13 Core Team Meeting Minutes - 2014/06/20 Core Team Meeting Minutes - 2014/06/27 Core Team Meeting Minutes - 2014/06/06 Core Team Meeting Minutes - 2014/04/25 Core Team Meeting Minutes - 2014/04/04 Ember 1.5.0 and 1.6 Beta Released Core Team Meeting Minutes - 2014/03/07 Core Team Meeting Minutes - 2014/03/14 Core Team Meeting Minutes - 2014/03/21 Core Team Meeting Minutes - 2014/02/28 Core Team Meeting Minutes - 2014/02/21 Core Team Meeting Minutes - 2014/02/14 Ember 1.4.0 and 1.5 Beta Released Core Team Meeting Minutes - 2014/01/27 Core Team Meeting Minutes - 2014/01/31 Core Team Meeting Minutes - 2014/02/07 Core Team Meeting Minutes - 2014/01/17 Core Team Meeting Minutes - 2014/01/03 Ember 1.3.0 and 1.4 Beta Released Core Team Meeting Minutes - 2013/12/20 Core Team Meeting Minutes - 2013/12/06 Ember 1.2.0 and 1.3 Beta Released Ember 1.1.2 Released Ember 1.1.1 and 1.2 Beta Released Ember 1.0 Released Ember 1.0 RC8 Released Ember 1.0 RC7 Released Ember 1.0 RC6.1, RC5.1, RC4.1, RC3.1, RC2.1 RC1.1 Released Ember 1.0 RC6 Ember 1.0 RC5 Ember 1.0 RC4 Ember 1.0 RC3 Announcing the Ember.js Security Policy Ember 1.0 RC2 Ember 1.0 RC Ember 1.0 Prerelease 2 Ember 1.0 Prerelease
Security Incident - AWS S3 Access Key Exposure
2016-12-14 · via Ember.js Blog

– By Tom Dale

On November 29th, 2016, the Ember security team was notified that version 2.11.0-beta.1 of the ember-source npm package inadvertently included a file that contained an AWS access key. This access key had permissions for full read/write access to the Ember S3 buckets.

These buckets are used to distribute pre-built versions of Ember.js and related libraries and host other static content:

  • Ember.js via builds.emberjs.com
  • Ember Data via builds.emberjs.com
  • Backburner.js via builds.emberjs.com
  • Handlebars.js via builds.handlebarsjs.com.s3.amazonaws.com
  • RSVP.js via rsvpjs-builds.s3.amazonaws.com
  • Router.js via routerjs.builds.emberjs.com.s3-website-us-east-1.amazonaws.com
  • Ember guides and API documentation

While the vast majority of Ember users retrieve new releases from Bower or npm, the builds on S3 are frequently used with online tools like JSBin and Ember Twiddle or anywhere it is more convenient to add a <script> tag.

After performing a full audit, we concluded that the key was not accessed during the timeframe of the incident, and there was no evidence of unauthorized activities. Therefore, no action is required on your part. This notice is advisory and contains an incident description as well as our mitigation plans.

Incident Report

At 4:13pm PST on November 29th, version 2.11.0-beta.1 of ember-source was published from the computer of a member of the Ember release team and inadvertently included the AWS access key.

At 9:25pm, a member of the Ember security team was privately notified of the key exposure. We immediately acknowledged the notification and began investigating the issue.

At 9:33pm, we confirmed the key exposure by installing the package from npm and examining its contents. We verified that there were no other Ember-related secrets included in the package other than the AWS access key.

At 10:26pm, we revoked access to the exposed access key. There was a delay between the incident verification and the key revocation because the individuals with administrator access to AWS were not at a computer when the report was received.

Once the access key was revoked, we began to assess if the compromised key had been used by an unauthorized user. Concurrently, we began auditing when the access key was introduced to the ember-source package.

The IAM Access Advisor in AWS indicated that the exposed access key only had permission to access S3 buckets, and that it had not been used in the past 376 days. We also verified that no previous releases contained the access key. This access key had not been used in over a year because we began publishing to S3 from our Continuous Integration server.

Because AWS indicates that the access key has not recently been used, and because it only had access to S3, we concluded that an unauthorized user had not been able to use the key before access was revoked. There was no indication that any files in our S3 buckets had been tampered with.

At this time, we decided against requesting that the affected package be yanked from npm. We know that yanked packages can cause sudden build failures and believed that any security risk had been mitigated by revoking the compromised access key.

We also audited the S3 access logs, which had been previously enabled. These logs did not indicate any unauthorized access. However, the logs themselves were stored in an S3 bucket that the compromised key had access to, so we did not consider them to be as reliable as the key's last accessed date, which an unauthorized user would be unable to alter.

Mitigations

We have implemented or are planning to implement several mitigations to prevent exposures of this kind in the future.

  1. We have begun removing permissions to access S3 from all IAM accounts associated with individual team members.
  2. We no longer grant access to all S3 buckets to any one account.
  3. We are migrating to a CI-deployed system so we will no longer need publish to npm or Bower from an individual's computer. We will have our Continuous Integration system (and only our CI system) publish new releases, as we do with the builds that are uploaded to S3.
  4. We will modify the S3 permissions to be "append only," so our CI system can only upload new objects to S3, not delete or modify existing objects. This would prevent tampering with older releases and limit the extent of an attack if the keys are exposed in the future.
  5. We are examining options for increasing the logging and auditability of our AWS infrastructure, such as enabling CloudTrail.

Conclusion

We take the security of Ember and the applications you build with it very seriously. I sincerely apologize that we let this happen. We will work to improve our release process to prevent similar security lapses from happening in the future.

We are deeply appreciative that this mistake was responsibly disclosed so that we were able to revoke the access key before a malicious attacker took advantage of it.

I would like to extend a personal note of thanks to Marcelo Mira (@marcemira), who noticed the exposure and promptly reported the issue privately. This quick action prevented a bad situation from becoming much worse.

I'd also like to thank Godfrey Chan, who displayed exemplary professionalism, composure and diligence in quickly responding to the report late at night. He is a true asset to the team.

If you discover a security-related issue in Ember, we ask that you follow our disclosure policy.

Additional Reading