A security researcher was able to breach the internal systems of more than 35 large companies, including Apple, Microsoft and PayPal, through a software supply chain attack (via Bleep computer).
/article-new/2021/02/paypal-hack.jpg?resize=560%2C266&ssl=1)
Security researcher Alex Birsan was able to exploit a unique design flaw in some open-source ecosystems called “dependency confusion” to attack the systems of companies such as Apple, Microsoft, PayPal, Shopify, Netflix, Yelp, Tesla and Uber .
The attack involved uploading malware to open source repositories, including PyPI, npm and RubyGems, which were then automatically distributed downstream to the various companies’ internal applications. Victims automatically received the malicious packages, without the need for social engineering or trojans.
Birsan was able to create counterfeit projects with the same names on open-source repositories, each with a disclaimer message, and found that applications would automatically fetch public dependency packages without any action from the developer. In some cases, such as with PyPI packages, any higher version package would take precedence no matter where it was located. This allowed Birsan to successfully attack the software supply chain of multiple companies.
After verifying that his component had successfully infiltrated the corporate network, Birsan reported his findings to the company in question, and some rewarded him with a bug bounty. Microsoft awarded him the highest $ 40,000 bug bounty and released a white paper on this security issue, while Apple said BleepingComputer that Birsan will receive a reward through the Apple Security Bounty program for responsibly disclosing the issue. Birsan has now made more than $ 130,000 from bug bounty programs and pre-approved penetration testing schemes.
A full explanation of the methodology behind the attack is available from Alex Birsan’s Medium page.