A virtual security researcher has accomplished quite a bit by discovering a simple flaw in open source programs used by large companies. According to BleepingComputer, Alex Birsan hacked about 35 organizations, including the giants Apple, Tesla, PayPal, Microsoft, Shopify, Netflix, Yelp and Uber. The most impressive? Unlike other types of attacks, which apply social engineering techniques, his approach did not require any slip by employees of the affected companies.
Many use public repositories to perform corporate operations, such as PyPI, npm and RubyGems, and that is what he relied on to architect the intrusions, since implementations are automatically distributed for internal applications.
From his analysis, the scientist sent malicious codes, they spread and the action revealed a flaw in the design of open source ecosystems called dependency confusion.
Birsan says that the idea came about when he worked with another specialist, Justin Gardner, who shared with him a manifest file, package.json, from an npm package used by PayPal. When checking the document, he noticed that some of the elements were not present in the public repository, but considered that others with the same name should exist, in addition to the private NodeJS repository.
So, which one would have priority? With his test, he found the answer.
With great powers …
A simple upload of fake packages with the same names was enough for the processes to be compromised. In some cases, points out Birsan, he had to add later version numbers to achieve what he wanted, nothing more.
Fortunately, in this case, the malware inserted was harmless, since Alex’s goal was only to alert companies. After the invasions were confirmed, the scientist received more than $ 130,000 in rewards for revealing the bugs – and the Apple company has already guaranteed that it will complement the award.
“I feel it is important to make it clear that all the organizations targeted during this survey have given permission for security testing, whether through public reward programs or private agreements. Don’t try this type of testing without authorization,” advises Birsan, stressing his concerns. intentions.