Have you ever utilized Jupyter Notebook for any coding or data-related purposes? It’s extremely useful — but the slight downside? If you set up Jupyter incorrectly, a hacker will get root access and complete control of your computer. This sounds insane right? I read it recently and it’s a good reminder for anyone running Jupyter on a server or VPS.
So, what’s the issue?
What’s Really Going On
What’s the issue then? It’s not an issue with Jupyter’s code — it’s with how people set it up. Most people run Jupyter in default mode, without a password or token for login, and sometimes even as the root user.So, what’s the issue?
- A terminal is available in Jupyter, which lets you run shell commands.
- If Jupyter is run as the root user, and you have not configured any log in credential, then anyone who discovers your Jupyter instance can up open a terminal and run root commands.
- This gives the attacker complete access to your entire system, not just the notebook.
Why It Matters
I have seen this first-hand – People often run Jupyter for personal projects, and leave it open. But it doesn't matter if it's "dev" context, an attacker can:- Steal your files and your data.
- Install malware or ransomware, including crypto-miners.
- Compromise the full system with root access.
Fixing It
Don't worry — it would be very simple to remain safe as long as you take these steps:- Do not run Jupyter as root.
- Set up a password or token for login.
- If you do not need to use the terminal feature, disable it.
- Use a tool like JupyterHub if you have multiple users needing access.
- Look at all your logs for odd or strange behavior.
