Security researcher Alex Birsan has discovered a security vulnerability that allows him to code on servers of Apple, Microsoft, PayPal and more than thirty other businesses (via Bleeping Computer). The use is also simple, and many great software developers will have to figure out how to protect themselves.
The exploitation uses a relatively simple trick: replacing private packages with public packages. When companies build programs, they often use open-source code written by other people, so they do not spend time and resources solving a problem that has already been solved. For example, I worked on websites that had to convert text files to web pages in real time. Instead of writing code to do it myself, my team found a program that did it and built it into our website.
These publicly available programs can be found in repositories such as npm for NodeJS, PyPi for Python and RubyGems for Ruby. It is noteworthy that Birsan has found that the repositories can be used to carry out this attack, but it is not just the three.
In addition to these public packages, companies will often build their own private packages that they do not upload, but rather distribute among their own developers. This is where Birsan found the exploitation. He discovered that if he could find the names of the private packages used by companies (a task that in most cases turned out to be very easy), he could upload his own code to one of the public repositories with the same name, and the companies’ automated systems rather use its code. They will not only download his package instead of the correct package but also run the code in it.
Suppose you had a Word document on your computer to explain it with an example, but when you opened it, your computer said, ‘Hey, there’s another Word document on the Internet. of the same name. I would rather open the one. Now imagine that the Word document can then automatically change your computer. This is not a great situation.
It would seem that the companies agree that the problem is serious. In his Medium message, Birsan writes that “the majority of the bug rewards awarded are set at the maximum amount allowed by the policy of each program, and sometimes even higher.” For those who are unfamiliar, bug payouts are cash rewards that companies pay out to people who find serious mistakes. The worse the bug, the more money they pay.
According to Birsan, most of the companies he contacted about the exploitation were able to quickly load their systems so that they were no longer vulnerable. Microsoft has even put together a white paper explaining how system administrators can protect their businesses from such attacks, but it’s honestly amazing that it took a long time before anyone realized that these massive companies were vulnerable to these types of attacks. Fortunately, this is not the type of story that ends with the fact that you need to update every device in your home immediately, but it seems like it will take a long week for system administrators who now have to change the way their business uses public code .