Researcher earned more than $130,000 in rewards through bug bounty programmes
A cyber security researcher has run a code on servers owned by 35 major tech companies by utilising security vulnerability. Some of these tech companies included Microsoft, Apple, Tesla, Netflix, Shopify, Uber, PayPal and Yelp.
The code which ran on the servers by the researcher Alex Birsan is touted as a novel software supply chain attack, according to Bleeping Computer.
Through bug bounty programmes and pre-approved penetration testing arrangements with these firms, the researcher has earned more than $130,000 in rewards.
The highest bug bounty amount of $40,000 was awarded to the researcher by Microsoft and a white paper was releases on this security issue. The issue was identified as CVE-2021-24105 by the firm for its Azure Artifactory product.
The researcher was quoted as saying in a report, “I feel that it is important to make it clear that every single organisation targeted during this research has provided permission to have its security tested, either through public bug bounty programs or through private agreements. Please do not attempt this kind of test without authorisation”.
The attack comprised uploading malware to open source repositories, “which then got distributed downstream automatically into the company’s internal applications”.
As the supply chain attack needed no action by the victim, who automatically received the malicious packages, the attack was more sophisticated because the attack leveraged a unique design flaw of the open-source ecosystems called dependency confusion.
Apple told Bleeping Computer that the researcher will get a reward via its Security Bounty programme for responsibly disclosing this issue.
The researcher’s HackerOne report mentioning the $30,000 bounty amount was publicly disclosed by PayPal.
Especially on open-source platforms with no easy solution for dependency confusion, the possibility remains for such kind of attacks to resurface and grow, as per the researcher.
The researcher in his blog post said, “I believe that finding new and clever ways to leak internal package names will expose even more vulnerable systems, and looking into alternate programming languages and repositories to target will reveal some additional attack surface for dependency confusion bugs”.
Last year while Birsan was working with another researcher Justin Gardener, a manifest file package.json was shared by Gardener with Birsan from an npm package used internally by PayPal.
Birsan noticed that some of the manifest file packages were PayPal’s privately created npm packages, used and stored internally by the firm and not present on the public npm repository.
Birsan wondered if a package by the same name exists in the public npm repository, in addition to a private NodeJS repository, which one would get priority.
For testing this hypothesis, Birsan began hunting for names of private internal packages that he could find in CDNs of prominent companies or in manifest files on GitHub repositories but did not exist in a public open-source repository.
Then the researcher, by using the same names on open-source repositories such as npm, PyPI, and RubyGems, started creating counterfeit projects.
Every package published by the researcher was done so under his real account and clearly had a disclaimer in place, stating “This package is meant for security research purposes and does not contain any useful code”.
Soon Birsan realized, if a dependency package used by an application exists in both the firm’s private build and a public open-source repository, the public package would get priority and be pulled instead without needing any action from the developer.
In some cases, as with PyPI packages, Birsan noticed that regardless of wherever the package was located, the package with the higher version would be prioritized.
Birsan executed a successful supply chain attack by using this technique against Microsoft, Apple, Tesla, Netflix, Shopify, Uber, PayPal and Yelp simply by publishing public packages using the same name as the company’s internal ones.
Do Follow: CIO News LinkedIn Account