Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Software Dependencies Exposed Microsoft, Apple to High-Impact Attacks

Security researcher Alex Birsan discovered a way to breach tens of organizations through software dependencies, and he earned tens of thousands of dollars in bug bounties from Microsoft, Apple and some of the other affected companies.

Security researcher Alex Birsan discovered a way to breach tens of organizations through software dependencies, and he earned tens of thousands of dollars in bug bounties from Microsoft, Apple and some of the other affected companies.

Organizations leverage software dependencies for various purposes within their environments, but they are not always aware of the risks associated with this practice, especially if they are not able to efficiently keep track of packages that are used from public repositories.

To show the risks associated with using improperly managed public packages, Birsan decided to look for dependencies that known companies use, and show how these dependencies could be abused by threat actors to breach the targeted organizations.

The main issue that he discovered was that, although code used internally within the targeted environments does say which packages to use, it doesn’t always dictate where these packages should be sourced from.

Thus, Birsan came up with the idea of researching for the names of both private and public packages used by the targeted companies, creating his own packages using the same names, and storing these packages on public repositories, in hopes that they would be loaded instead of legitimate packages.

Birsan started with his own “malicious” Node package uploaded to the npm registry, which contained code to fingerprint the system and report back with enough information to allow for the identification of the targeted organization.

Related Reading: PayPal Patches Vulnerability That Exposed User Passwords

“To strike a balance between the ability to identify an organization based on the data, and the need to avoid collecting too much sensitive information, I settled on only logging the username, hostname, and current path of each unique installation. Along with the external IPs, this was just enough data to help security teams identify possibly vulnerable systems based on my reports,” the researcher explains.

With most targets within corporate networks, the researcher leveraged DNS exfiltration as means to ensure that the gathered information is indeed sent back to his server.

Furthermore, to ensure that he could identify as many targets as possible, the researcher ported the code to both Python and Ruby, and uploaded packages to PyPI (Python Package Index) and RubyGems.

During his research, Birsan discovered multiple package names on GitHub and other major package hosting services (including the names of internal packages that were accidentally made public), as well as in posts on internet forums.

“Apparently, it is quite common for internal package.json files, which contain the names of a javascript project’s dependencies, to become embedded into public script files during their build process, exposing internal package names. Similarly, leaked internal paths or require() calls within these files may also contain dependency names,” the researcher notes.

During the second half of 2020, Birsan discovered hundreds of JavaScript package names not claimed on the npm registry, and proceeded to upload his own code to hosting services under all the discovered names.

“One thing was clear: squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds,” Birsan reveals.

More than 35 organizations were found vulnerable to this type of attack – which the researcher called dependency confusion – most of them with over 1,000 employees each. Because JavaScript dependency names were easier to find, most of the callbacks (75%) came from npm packages.

Affected organizations include Shopify, which issued a $30,000 bug bounty for the discovery, Apple, also with a $30,000 reward, PayPal, also with a $30,000 bounty payout, and Microsoft, with a $40,000 reward. Other major companies that were found to be impacted include Netflix, Yelp and Uber.

All of the targeted organizations had provided permissions to have their security tested, either through public bug bounty programs, or through private agreements, the researcher notes.

Related: GitHub Says Vulnerabilities in Some Ecosystems Take Years to Fix

Related: GitHub Helps Developers Keep Dependencies Secure via Dependabot

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.