Rust programming language: Crates package API tokens revoked over serious security flaw

Rust's crates package API keys were not randomly generated and were being stored in plain text.
Written by Liam Tung, Contributing Writer

The project behind popular programming language Rust has revoked all API keys from its crates.io package web app. 

The key revocation addresses a serious vulnerability affecting Rust's package system due to two factors. First, Rust developers learned that the PostgreSQL random function it used to generate API keys or tokens for crates.io was not a "cryptographically secure" random-number generator. 

"In theory, an attacker could observe enough random values to determine the internal state of the random-number generator, and use this information to determine previously created API keys up to the last database server reboot," it states. 

SEE: Hiring Kit: Python developer (TechRepublic Premium)

API keys are used by computers to authenticate a user or machine and control what access rights they have. 

Secondly, the Rust project discovered that the API keys for the packages were being stored in plain text. If attackers breached the database, they would have API access for all current tokens. 

The Rust project has now rolled out a cryptographically secure random-number generator and implemented a hashing function for storing tokens in the database. 

"Exploiting either issue would be incredibly impractical in practice, and we've found no evidence of this being exploited in the wild. However, out of an abundance of caution, we've opted to revoke all existing API keys," it says in the advisory. 

Developers who have published crates packages can generate a new API key at the crates.io website

SEE: Programming languages: Developers reveal what they love and loathe, and what pays best

The crates.io site indicates that there are over 43,000 crates that have been downloaded collectively over three billion times. Crates are a key part of the Rust programming language. Deno, the possible successor to Node.js, was written in Rust and is considered a collection of crates rather than a monolithic program.  

The Rust project appears to have acted swiftly on the vulnerability report it received on July 11. The issue was fixed and tokens revoked along with a disclosure notice on July 14.  

More on Rust and programming languages

  • Programming languages: Now Rust project looks for a way into the Linux kernel  
  • Programming languages: Rust enters top 20 popularity rankings for the first time  
  • Microsoft: Here's why we love programming language Rust and kicked off Project Verona  
  • Programming languages: Developers reveal what they love and loathe, and what pays best  
  • Programming language Rust: 5 years on from v1.0, here's the good and the bad news
  • Microsoft: Here's how we're killing a class of memory security bugs in Windows 10  
  • Programming language Rust's adoption problem: Developers reveal why more aren't using it  
  • Google programming language scorecard: How C, C++, Dart, Rust, Go rate for Fuchsia
  • Developers love Rust programming language: Here's why
  • Microsoft: We're creating a new Rust-like programming language for secure coding
  • Programming languages: Kotlin rises fastest but JavaScript lures millions more developers
  • Microsoft opens up Rust-inspired Project Verona programming language on GitHub
  • Brave defies Google's moves to cripple ad-blocking with new 69x faster Rust engine
  • How to install Rust on Linux TechRepublic 
  • Editorial standards