Ethical hacker, Alex Birsan, has demonstrated that it is possible to breach the systems of tech giants by utilizing a novel supply chain attack by exploiting public, open-source developer tools. These tech companies include giants such as Microsoft, Apple, PayPal, Shopify, Netflix, Tesla and Uber.
The attack injects malicious code into common tools for installing dependencies for ones projects from public code repositories such as Github. When we use any package from such sources, we trust that the uploader has no malicious intent and download and use it with utmost faith. But, what if this was not the case? What if this blind trust and faith is misplaced and is being exploited?
Python, Ruby and Java were the three programming languages used across these 35 organizations where he had found the vulnerabilities.
Birsan decided to explore the trust exploited by the malicious actors when he was hacking PayPal with Justin Gardner, in the summer of 2020, who had shared with him “an interesting bit of Node.js source code found on GitHub,”.
“The code was meant for internal PayPal use, and, in its package.json file, appeared to contain a mix of public and private dependencies — public packages from npm, as well as non-public package names, most likely hosted internally by PayPal. These names did not exist on the public npm registry at the time,” notes Birsan.
He wondered whether some of PayPal’s internal projects would start defaulting to the new public packages instead of private ones. In a nutshell, the answer was yes.
Birsan applied his idea to upload his own “malicious” Node packages to the npm registry under all the unclaimed names, which would “phone home” from each computer they were installed on, he explained. The code would notify him if it was installed on any of the PayPal-owned servers. The Node package would collect basic information about each machine that it has been installed on and also log the username, hostname and current path of each unique installation.
Once he had gained access to the servers he used DNS exfiltration to send data back to him “knowing that most of the possible targets would be deep inside well-protected corporate networks”. He guessed that it would be less likely for the data to be detected or blocked on its way out.
He hex-coded the data and used it as part of a DNS query, which reached his custom authoritative name server, either directly or through intermediate resolvers. He configured the server to log each received query, essentially keeping a record of every machine where the packages were downloaded.
Once this was done, he ported the code to Python where he could upload the PyPI (Python Package Index), and to Ruby where he could upload the RubyGems package. He searched through private package names belonging to targeted companies to find as many relevant dependency names as possible.
He found that many other names could be found on GitHub, as well as on the major package hosting services, and even within posts on various internet forums.
Alex Birsan calls this entire method of hacking as “Dependency Confusion”. Microsoft too has published a white paper detailing how this attack is carried out, and has dubbed it as “substitution attack”.
Alex Birsan states that “the success rate was simply astonishing” once he had begun his attack on these targeted companies.
He has already received more than $130,000 from these organizations as bug bounties and pre-approved financial agreements between the organization and himself, with Apple and Shopify contributing $30,000 each.