Security researcher Alex Birsan found a security vulnerability that allowed him to run code on servers owned by Apple, Microsoft, PayPal and more than 30 other companies (via Biping Computer) The exploit is also torturously simple and is something that many big software developers will have to figure out how to protect themselves from.
The exploit takes advantage of a relatively simple trick: replacing private packages with public ones. When companies are creating programs, they often use open source code written by others, so they don’t spend time and resources solving a problem that has already been solved. For example, I worked on websites that had to convert text files to web pages in real time. Instead of writing code to do it ourselves, my team found a program that did this and incorporated it into our website.
These publicly available programs can be found in repositories such as npm for NodeJS, PyPi for Python and RubyGems for Ruby. It is important to note that Birsan found that these repositories could be used to carry out this attack, but it is not limited to just three.
In addition to these public packages, companies often create their own private packages, which they do not upload, but distribute among their own developers. It was here that Birsan found the exploit. He found that if he could find the names of the private packages used by companies (a task that turned out to be very easy in most cases), he could send his own code to one of the public repositories with the same name, and the companies’ automated systems would use your code instead. They would not only download your package instead of the correct one, but also execute the code inside it.
To explain this with an example, imagine that you have a Word document on your computer, but when you open it, your computer says: “Hey, there is another Word document on the internet with the same name. Instead, I’m going to open this one. ”Now imagine that the Word document could automatically make changes to your computer. It is not a good situation.
It seems that the companies agreed that the problem was serious. In his posting on Medium, Birsan wrote that “most of the bug rewards granted were set at the maximum amount allowed by each program’s policy, and sometimes even higher”. For those unfamiliar, insect rewards are cash rewards that companies pay to people who encounter serious mistakes. The more serious the bug, the more money they will pay.
According to Birsan, most of the companies he contacted about the exploit were able to quickly patch their systems so that they were no longer vulnerable. Microsoft even produced a white paper explaining how system administrators can protect their companies from these types of attacks, but it is frankly surprising that it took so long for someone to discover that these huge companies were vulnerable to this type of attack. Fortunately, this isn’t the kind of story that ends with you having to immediately update all the devices in your home, but it looks like it will be a long week for system administrators who now have to change the way their company uses public code.