Apple hacker security researcher in clever open source attack



[ad_1]

A security researcher has found a smart way to hack Apple, Tesla, and more than 30 other big companies using a new open source software approach.

Microsoft, PayPal, Shopify, Netflix, Yelp and Uber were among the other companies that found their internal systems breached in the proof of concept …

The imaginative approach exploited the fact that the systems of many large companies pull open source software from public repositories. Bleeping computer Explain:

The attack included downloading malware into open source repositories, including PyPI, npm, and RubyGems, which were then automatically distributed downstream into the company’s internal applications.

Unlike traditional typosquatting attacks which rely on social engineering tactics or the victim misspelled a package name, this particular supply chain attack is more sophisticated because it did not require any victim action, which automatically received the malicious packets. Indeed, the attack exploited a unique design flaw in open source ecosystems called dependency confusion. […]

Last year, security researcher Alex Birsan had an idea while working with fellow researcher Justin Gardner. Gardner had shared with Birsan a manifest file, package.json, from an npm package used internally by PayPal.

Birsan noticed that some of the manifest file packages were not present on the public npm repository, but instead were npm packages created privately by PayPal, used and stored internally by the company.

Seeing this, the researcher wondered, should a package of the same name exist in the npm public repository, in addition to a private NodeJS repository, which would have priority?

He quickly found the answer: public packages had priority, so simply downloading fake ones with the same names led to their automatic downloading. In some cases, it had to add later version numbers to trigger a download.

The full description is worth reading, explaining how Birsan was able to prove that the packages were installed without raising any alerts.

Of course, the fake packets were harmless, and Birsan alerted businesses as soon as he got confirmation of a successful infiltration. He received over $ 130,000 in bug bounties, with Apple confirming he will be rewarded for it.

FTC: We use automatic income generating affiliate links. More.


Check out 9to5Mac on YouTube for more information on Apple:

[ad_2]

Source link