The key revocation addresses a serious vulnerability affecting Rust's package system due to two factors. First, Rust developers learned that the PostgreSQL random function it used to generate API keys or tokens for crates.io was not a "cryptographically secure" random-number generator.
"In theory, an attacker could observe enough random values to determine the internal state of the random-number generator, and use this information to determine previously created API keys up to the last database server reboot," it states.
SEE: Hiring Kit: Python developer (TechRepublic Premium)
API keys are used by computers to authenticate a user or machine and control what access rights they have.
Secondly, the Rust project discovered that the API keys for the packages were being stored in plain text. If attackers breached the database, they would have API access for all current tokens.
The Rust project has now rolled out a cryptographically secure random-number generator and implemented a hashing function for storing tokens in the database.
"Exploiting either issue would be incredibly impractical in practice, and we've found no evidence of this being exploited in the wild. However, out of an abundance of caution, we've opted to revoke all existing API keys," it says in the advisory.
Developers who have published crates packages can generate a new API key at the crates.io website.
The crates.io site indicates that there are over 43,000 crates that have been downloaded collectively over three billion times. Crates are a key part of the Rust programming language. Deno, the possible successor to Node.js, was written in Rust and is considered a collection of crates rather than a monolithic program.
The Rust project appears to have acted swiftly on the vulnerability report it received on July 11. The issue was fixed and tokens revoked along with a disclosure notice on July 14.