Security researcher Alex Birsan discovered a way to breach tens of organizations through software dependencies, and he earned tens of thousands of dollars in bug bounties from Microsoft, Apple and some of the other affected companies.
Organizations leverage software dependencies for various purposes within their environments, but they are not always aware of the risks associated with this practice, especially if they are not able to efficiently keep track of packages that are used from public repositories.
To show the risks associated with using improperly managed public packages, Birsan decided to look for dependencies that known companies use, and show how these dependencies could be abused by threat actors to breach the targeted organizations.
The main issue that he discovered was that, although code used internally within the targeted environments does say which packages to use, it doesn’t always dictate where these packages should be sourced from.
Thus, Birsan came up with the idea of researching for the names of both private and public packages used by the targeted companies, creating his own packages using the same names, and storing these packages on public repositories, in hopes that they would be loaded instead of legitimate packages.
Birsan started with his own “malicious” Node package uploaded to the npm registry, which contained code to fingerprint the system and report back with enough information to allow for the identification of the targeted organization.
Related Reading: PayPal Patches Vulnerability That Exposed User Passwords
“To strike a balance between the ability to identify an organization based on the data, and the need to avoid collecting too much sensitive information, I settled on only logging the username, hostname, and current path of each unique installation. Along with the external IPs, this was just enough data to help security teams identify possibly vulnerable systems based on my reports,” the researcher explains.
With most targets within corporate networks, the researcher leveraged DNS exfiltration as means to ensure that the gathered information is indeed sent back to his server.
Furthermore, to ensure that he could identify as many targets as possible, the researcher ported the code to both Python and Ruby, and uploaded packages to PyPI (Python Package Index) and RubyGems.
During his research, Birsan discovered multiple package names on GitHub and other major package hosting services (including the names of internal packages that were accidentally made public), as well as in posts on internet forums.
“Apparently, it is quite common for internal package.json files, which contain the names of a javascript project’s dependencies, to become embedded into public script files during their build process, exposing internal package names. Similarly, leaked internal paths or require() calls within these files may also contain dependency names,” the researcher notes.
During the second half of 2020, Birsan discovered hundreds of JavaScript package names not claimed on the npm registry, and proceeded to upload his own code to hosting services under all the discovered names.
“One thing was clear: squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds,” Birsan reveals.
More than 35 organizations were found vulnerable to this type of attack – which the researcher called dependency confusion – most of them with over 1,000 employees each. Because JavaScript dependency names were easier to find, most of the callbacks (75%) came from npm packages.
Affected organizations include Shopify, which issued a $30,000 bug bounty for the discovery, Apple, also with a $30,000 reward, PayPal, also with a $30,000 bounty payout, and Microsoft, with a $40,000 reward. Other major companies that were found to be impacted include Netflix, Yelp and Uber.
All of the targeted organizations had provided permissions to have their security tested, either through public bug bounty programs, or through private agreements, the researcher notes.
Related: GitHub Says Vulnerabilities in Some Ecosystems Take Years to Fix
Related: GitHub Helps Developers Keep Dependencies Secure via Dependabot
