How to hack big companies like Apple and PayPal using software 'packages'?

Hacking has become a major threat in a highly digital society, and in 2020, large-scale hacking damage to US government agencies was discovered , and water systems were hacked, which is 100 times more harmful than the standard value. There was also an incident in which the water was about to be mixed into tap water . Meanwhile, cybersecurity researcher Alex Birsan explains how to use software ' packages ' to hack into well-known large corporations.

Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies | by Alex Birsan | Feb, 2021 | Medium
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

An exploit let a security researcher into Apple, Microsoft, and PayPal --The Verge
https://www.theverge.com/2021/2/10/22276857/security-researcher-repository-exploit-apple-microsoft-vulnerability

In some programming languages, there is code called a 'package' that defines a particular feature. If you have a package with features that should be included in the software you are developing, you can call and use the features defined by declaring the package without having to write the code from scratch. Most software does not write all the code, but has dependencies on existing libraries and packages.

In addition to downloading and using public packages stored in repositories, companies and institutions may also create private internal packages that are distributed only to internal developers. Mr. Birsan said that he focused on the internal package used by the company and devised a mechanism to hack by a simple method.

Birsan's method is to 'replace internal packages used by companies with software with public packages containing malicious code.' 'If you download a package from source, you basically trust the publisher of the package to run it on your machine. So this blind trust can be exploited by a malicious attacker. Is there? Of course there is, 'Birsan said.

Birsan said that when he tried to discover a PayPal vulnerability in the summer of 2020, his colleagues gave him some interesting Node.js code on GitHub. This code seems to be intended for internal use of PayPal, with a mix of public packages hosted by Node.js's package management system npm and internal package dependencies that appear to have been developed inside PayPal. that's right.

After confirming that a public package with the same name as the internal package does not exist in the npm registry, Birsan said, 'If you upload malicious code with the same name as this internal package as a public package, you will publish the PayPal internal package. Isn't it replaced by a package? ' So Birsan wrote the code to collect and send data about the installed machine to the extent that it doesn't really collect sensitive information that could be arrested.

Having prepared a masterplan for the attack, Birsan checked for similar vulnerabilities in companies other than PayPal and gathered information about internal packages on GitHub and various other locations. After that, he uploaded malicious packages to each package management system such as npm, pip of Python , and gem (RubyGems) of Ruby .

As a result, Birsan succeeded in hacking as many as 35 companies, including PayPal. In addition to PayPal, it seems that it was possible to hack companies such as Apple, Microsoft, Netflix, Yelp, Uber, Shopify, etc., and the majority of the affected companies were companies with more than 1000 employees. Birsan speculates that large organizations may reflect the high usage of internal libraries as to why large companies were vulnerable.

While it's unclear why public packages are being replaced by internal packages, Python packages have been found to occur when 'arguments are used in an unsafe way by design'. If you specify a package using a specific argument, the mechanism is to 'search for the package with the specified name both publicly and internally, and if found in both, install the one with the larger version number'. Therefore, by increasing the version number of the malicious public package, it is possible to push away the correct internal package and install it.

Birsan discovered a package vulnerability and received a $ 30,000 bug bounty from PayPal, $ 30,000 from Shopify and Apple, and $ 40,000 from Microsoft. I received. It seems that these amounts are at or above the upper limit set by each company as a bug bounty, and it can be seen that companies also take this vulnerability as serious. Many companies that were informed about the vulnerability applied the patch quickly, and the vulnerability disappeared.