Dependency vulnerability

Why do hackers always wear hoodies? © iStock.

Security researcher Alex Birsan has found a frighteningly easy way to run code on servers owned by 35 large companies. The exploit takes advantage of a relatively simple trick: replacing private packages with others of the same name on public repositories. Public packages are used by developers to import third-party functions into their projects. These publicly available softwares can be found on repositories like npm for JavaScript, PyPi for Python and RubyGems for Ruby. In addition to these public packages, large companies will often build their own private packages, which they don’t upload on publics repos, but instead distribute internally among their own developers. Alex Birsan discovered that public code repos often contained the names of companies’ private packages. He then thought that if he could upload his own code with the same names to the public repositories, the companies’ automated systems would confuse the two and use his code instead. His tests proved him right. According to Alex, “one thing was clear: squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds”. Among the companies that Birsan infiltrated using this technique are Apple, Microsoft, Netflix, PayPal, Shopify, Tesla, Uber and Yelp. On Tuesday, Microsoft released a “white paper” of advice on how to mitigate the risk of such attacks.

⇨ The Register, Thomas Claburn, “Apple, Microsoft, PayPal among 35 organizations compromised by evil twin dependencies attack.”

⇨ The Verge, Mitchell Clark, “Security researcher finds a way to run code on Apple, PayPal, and Microsoft’s systems.”

2021-02-10