Researcher Alex Birsan managed to breach the internal IT systems of at least 35 companies, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, & Uber.
Writing about his experience on Medium Alex dubbed his software supply chain attack as “novel”. What Alex did was to upload malware to open source repositories including PyPI, npm, & RubyGems, which was then distributed downstream automatically into the company’s internal applications.
Here’s what Alex writes:
From one-off mistakes made by developers on their own machines, to misconfigured internal or Cloud-based build servers, to systemically vulnerable development pipelines, one thing was clear: squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds.
This type of vulnerability, which I have started calling dependency confusion, was detected inside more than 35 organizations to date, across all three tested programming languages. The vast majority of the affected companies fall into the 1000+ employees category, which most likely reflects the higher prevalence of internal library usage within larger organizations.
Due to javascript dependency names being easier to find, almost 75% of all the logged callbacks came from npm packages — but this does not necessarily mean that Python and Ruby are less susceptible to the attack. In fact, despite only being able to identify internal Ruby gem names belonging to eight organizations during my searches, four of these companies turned out to be vulnerable to dependency confusion through RubyGems.
Another $30,000 reward came from Apple, after the code in a Node package which I uploaded to npm in August of 2020 was executed on multiple machines inside its network. The affected projects appeared to be related to Apple’s authentication system, externally known as Apple ID.
When I brought up the idea that this bug may have allowed a threat actor to inject backdoors into Apple ID, Apple did not consider that this level of impact accurately represented the issue and stated:
Achieving a backdoor in an operational service requires a more complex sequence of events, and is a very specific term that carries additional connotations.
However, Apple did confirm that remote code execution on Apple servers would have been achievable by using this npm package technique. Based on the flow of package installs, the issue was fixed within two weeks of my report, but the bug bounty was only awarded less than a day prior to publishing this post.
For more on this, click here.
