Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Software Dependencies Exposed Microsoft, Apple to High-Impact Attacks

Security researcher Alex Birsan discovered a way to breach tens of organizations through software dependencies, and he earned tens of thousands of dollars in bug bounties from Microsoft, Apple and some of the other affected companies.

Security researcher Alex Birsan discovered a way to breach tens of organizations through software dependencies, and he earned tens of thousands of dollars in bug bounties from Microsoft, Apple and some of the other affected companies.

Organizations leverage software dependencies for various purposes within their environments, but they are not always aware of the risks associated with this practice, especially if they are not able to efficiently keep track of packages that are used from public repositories.

To show the risks associated with using improperly managed public packages, Birsan decided to look for dependencies that known companies use, and show how these dependencies could be abused by threat actors to breach the targeted organizations.

The main issue that he discovered was that, although code used internally within the targeted environments does say which packages to use, it doesn’t always dictate where these packages should be sourced from.

Thus, Birsan came up with the idea of researching for the names of both private and public packages used by the targeted companies, creating his own packages using the same names, and storing these packages on public repositories, in hopes that they would be loaded instead of legitimate packages.

Birsan started with his own “malicious” Node package uploaded to the npm registry, which contained code to fingerprint the system and report back with enough information to allow for the identification of the targeted organization.

Related Reading: PayPal Patches Vulnerability That Exposed User Passwords

“To strike a balance between the ability to identify an organization based on the data, and the need to avoid collecting too much sensitive information, I settled on only logging the username, hostname, and current path of each unique installation. Along with the external IPs, this was just enough data to help security teams identify possibly vulnerable systems based on my reports,” the researcher explains.

Advertisement. Scroll to continue reading.

With most targets within corporate networks, the researcher leveraged DNS exfiltration as means to ensure that the gathered information is indeed sent back to his server.

Furthermore, to ensure that he could identify as many targets as possible, the researcher ported the code to both Python and Ruby, and uploaded packages to PyPI (Python Package Index) and RubyGems.

During his research, Birsan discovered multiple package names on GitHub and other major package hosting services (including the names of internal packages that were accidentally made public), as well as in posts on internet forums.

“Apparently, it is quite common for internal package.json files, which contain the names of a javascript project’s dependencies, to become embedded into public script files during their build process, exposing internal package names. Similarly, leaked internal paths or require() calls within these files may also contain dependency names,” the researcher notes.

During the second half of 2020, Birsan discovered hundreds of JavaScript package names not claimed on the npm registry, and proceeded to upload his own code to hosting services under all the discovered names.

“One thing was clear: squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds,” Birsan reveals.

More than 35 organizations were found vulnerable to this type of attack – which the researcher called dependency confusion – most of them with over 1,000 employees each. Because JavaScript dependency names were easier to find, most of the callbacks (75%) came from npm packages.

Affected organizations include Shopify, which issued a $30,000 bug bounty for the discovery, Apple, also with a $30,000 reward, PayPal, also with a $30,000 bounty payout, and Microsoft, with a $40,000 reward. Other major companies that were found to be impacted include Netflix, Yelp and Uber.

All of the targeted organizations had provided permissions to have their security tested, either through public bug bounty programs, or through private agreements, the researcher notes.

Related: GitHub Says Vulnerabilities in Some Ecosystems Take Years to Fix

Related: GitHub Helps Developers Keep Dependencies Secure via Dependabot

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Kenna Security co-founder Ed Bellis has joined Empirical Security as Chief Executive Officer.

Robert Shaker II has joined application security firm ActiveState as Chief Product and Technology Officer.

MorganFranklin Cyber has promoted Nick Stallone and Ferdinand Hamada into newly created roles.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.