A security researcher has found a clever way to hack Apple, Tesla and more than thirty other big companies using a new open-source software approach.
Microsoft, PayPal, Shopify, Netflix, Yelp and Uber were one of the other companies that found that their internal systems were broken in proof of concept …
The imaginative approach takes advantage of the fact that the systems of many large companies use open-source public repository software. Bleeping Computer explain:
The attack consists of uploading malware to open source repositories, including PyPI, npm and RubyGems, which are then automatically distributed downstream in the enterprise’s internal applications.
Unlike traditional attacks with typosquatting that depends on social engineering or if the victim misspells a package name, this attack in the supply chain is more sophisticated because the victim, who automatically received the malicious packages, did not need any action. This is because the attack took advantage of a unique design flaw in the open source ecosystems called dependency confusion […]
Last year, security researcher Alex Birsan came up with an idea while working with another researcher Justin Gardner. Gardner shared a manifest file, package.json, with Birsan from an npm package used internally by PayPal.
Birsan noted that some of the manifest file packages were not in the public npm repository, but rather PayPal’s privately made npm packages used and stored internally by the company.
When he saw this, the researcher asked if there should be a package with the same name in the public npm repository, in addition to a private NodeJS repository, which one would take precedence?
He quickly found the answer: the public packages were preferred, and simply uploading fake ones with the same names resulted in them being downloaded automatically. In some cases, he had to add later version numbers to activate a download.
The full listing is worth reading and explaining how Birsan was able to prove that the packages were installed without causing any warnings.
Of course, the fake packages were harmless, and Birsan warned the companies as soon as he got a successful infiltration. He received more than $ 130,000 in bounties, and Apple has confirmed that he will be rewarded for it.
FTC: We use revenue to earn automatically affiliate links. More.
Check out 9to5Mac on YouTube for more Apple news: