[ad_1]
Security researcher Alex Birsan discovered a security flaw that allowed him to execute code on servers owned by Apple, Microsoft, PayPal, and more than 30 other companies (via Bleeping computer). The exploit is also cunningly simple, and it’s something that many great software developers will have to figure out how to protect themselves.
The exploit takes advantage of a relatively simple trick: replacing private packages with public packages. When companies create programs, they often use open source code written by other people, so that they don’t spend time and resources solving a problem that’s already solved. For example, I have worked on websites that had to convert text files to web pages in real time. Instead of writing code to do it ourselves, my team found a program that did it and integrated it into our site.
These publicly available programs can be found on repositories such as npm for NodeJS, PyPi for Python, and RubyGems for Ruby. It should be noted that Birsan discovered that these repositories could be used to carry out this attack, but it is not limited to all three.
In addition to these public packages, companies often build their own private packages, which they do not download, but distribute among their own developers instead. This is where Birsan found the feat. He found that if he could find the names of the private packages used by companies (a task that proved to be very easy in most cases), he could upload his own code to one of the public repositories of the same. name, and the business automated systems would use its code instead. Not only would they download its package instead of the voucher, but they would also run the code inside.
To explain this with an example, imagine you had a Word document on your computer, but when you went to open it, your computer said, “Hey, there is another Word document on the Internet with the same name. I’ll open that one instead. Now imagine that the Word document can then automatically make changes to your computer. It is not a great situation.
It seems that the companies have agreed that the problem is serious. In his Medium article, Birsan wrote that “the majority of bug bounties awarded were set at the maximum amount allowed by the policy of each program, and sometimes even more. For those who are not familiar, bug bounties are cash rewards that companies pay to people who find serious bugs. The more serious the bug, the more money they will pay.
According to Birsan, most of the companies he contacted about the exploit were able to quickly patch their systems so that they were no longer vulnerable. Microsoft even wrote a white paper on how system administrators can protect their businesses from these types of attacks, but it’s frankly astonishing that it took someone so long to realize that these large companies were vulnerable to this. type of attack. Fortunately, this isn’t the type of story that ends with immediately updating all the devices in your home, but it looks like it will be a long week for sysadmins who now need to change the way their company uses the public code.
[ad_2]
Source link