A security researcher recently discovered a vulnerability that let him access the internal system of 35 companies – which includes tech giants like Microsoft, Apple, Netflix, Tesla, Uber and PayPal – in a novel software supply chain attack. For the attack, the researcher uploaded malware to open source repositories including PyPI, npm, and RubyGems, which were then automatically distributed downstream into the companies' internal applications. The particular supply chain attack leverages a unique design flaw of the open-source ecosystems – called dependency confusion – and it needs no action by the victim, who automatically receive the malicious packages.
The report on the vulnerability discovered by the researcher, Alex Birsan, was first reported by Bleeping Computer.
Birsan made use of DNS to exfiltrate the data to bypass detection.
Using this technique, Birsan executed a successful supply chain attack against Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Yelp, and Uber simply by publishing public packages using the same name as the company's internal ones.
"I believe dependency confusion is quite different from typosquatting or brandjacking, as it does not necessarily require any sort of manual input from the victim...Rather, vulnerabilities or design flaws in automated build or installation tools may cause public dependencies to be mistaken for internal dependencies with the exact same name," Birsan said.
The researcher earned over $130,000 in bug bounties for his ethical research. Microsoft awarded him their highest bug bounty of $40,000. PayPal has disclosed that it will be awarding Birsan a $30,000 bounty amount. Another $30,000 reward came from Apple.
Birsan added that Shopify awarded a $30,000 bug bounty for finding the issue.
Tesla and other companies also rewarded him with their specific bounty programs.
source https://www.firstpost.com/tech/news-analysis/microsoft-apple-netflix-tesla-and-31-other-companies-internal-systems-were-discovered-with-security-vulnerability-9296451.html
