A security researcher has found a clever way to hack Apple, Tesla and more than 30 other large companies using a new open source software approach.
Microsoft, PayPal, Shopify, Netflix, Yelp and Uber were among the other companies that found their internal systems breached in proof of concept …
The imaginative approach exploited the fact that the systems of many major companies pull open source software from public repositories. Biping Computer explains:
The attack consisted of sending malware to open source repositories, including PyPI, npm and RubyGems, which were then automatically distributed to the company’s internal applications.
Unlike traditional typosquatting attacks that rely on social engineering tactics or that the victim misspells the name of a package, this specific attack on the supply chain is more sophisticated because it did not require action by the victim, who automatically received the packages malicious. This is because the attack leveraged a design flaw unique to open source ecosystems called dependency confusion […]
Last year, security researcher Alex Birsan had an idea when working with another researcher Justin Gardner. Gardner shared with Birsan a manifest file, package.json, from an npm package used internally by PayPal.
Birsan realized that some of the manifest file packages were not present in the public npm repository, but instead were npm packages created privately by PayPal, used and stored internally by the company.
Seeing this, the researcher asked himself, should there be a package with the same name in the public npm repository, in addition to a private NodeJS repository, which one would have priority?
He soon found the answer: public packages took priority, so simply uploading fake packages with the same names made them download automatically. In some cases, he had to add later version numbers to trigger a download.
It is worth reading the full article, explaining how Birsan was able to prove that the packages were installed without triggering any alerts.
Of course, the fake packages were harmless and Birsan alerted the companies as soon as he obtained confirmation of a successful infiltration. He received more than $ 130,000 in insect rewards, with Apple confirming that he will be rewarded for them.
FTC: We use affiliate links for cars that generate revenue. More.
Check out 9to5Mac on YouTube for more news from Apple: