Researcher breaches Apple, Microsoft, and others with installer attack

Posted:
in General Discussion
A security researcher hacked the internal systems of major companies like Apple, Microsoft, PayPal, and others using a supply chain attack he dubbed "dependency confusion."

Credit: Apple
Credit: Apple


The attack took advantage of a flaw inherent in many popular installers used by developers to packages and dependencies. By uploading malware to open source repositories, researcher Alex Birsan was able to trick these installers into downloading his malicious code, according to a writeup he posted on Medium.

In the case of Apple, Birsan was able to compromise several machines in the company's internal network after they downloaded malicious code in a Node package that he uploaded to npm, a package manager for JavaScript. Specifically, Birsan was able to breach projects related to the Apple ID authentication system.

Apple told the researcher that the vulnerability could have been used to achieve remote code execution on Apple servers. When Birsan asked whether an attacker could have injected backdoors into Apple ID, the company said that "achieving a backdoor in an operational service requires a more complex sequence of events, and is a very specific term that carries additional connotations."

The Cupertino tech giant fixed the vulnerability within two weeks of disclosure. Although he reported the flaw to Apple in August 2020, Birsan said he had only just received his bug bounty payment prior to the Medium write in February 2021.

The supply chain attack relies on the trust many developers have in these package installers, which can include npm, Python's pip, and Ruby's RubyGems. Another key factor is the use of internal packages that don't exist in public repositories. By uploading a piece of malware under the names of these internally used packages, Birsan was able to fool some programs into downloading his malicious code instead of the legitimate packages. He used DNS to covertly exfiltrate the data.

Birsan only operated within the scope of company bug bounty programs and only collected non-sensitive data from compromised systems, but his research was able to point out flaws in many company's internal configurations.

In total, the researcher discovered dependency confusion vulnerabilities inside 35 organizations to date. The vast majority of them are companies with more than 1,000 employees, which he attributes to the "higher prevalence of internal library usage within larger organizations."

Birsan earned more than $130,000 in bug bounties. Payments of $30,000 each came from Shopify, Apple, and PayPal. In the case of Microsoft, Birsan's research netted him the company's highest amount of $40,000. Microsoft also released a white paper on the issue.

The researcher also believes that the problem will continue to grow.

"Specifically, I believe that finding new and clever ways to leak internal package names will expose even more vulnerable systems, and looking into alternate programming languages and repositories to target will reveal some additional attack surface for dependency confusion bugs," Birsan wrote.

Comments

  • Reply 1 of 7
    larryalarrya Posts: 587member
    Very creative and effective, but the scary thought is that he probably isn’t the first person to think of doing this. 
    JWSCwatto_cobra
  • Reply 2 of 7
    M68000M68000 Posts: 452member
    This kind of thing is another example why you want to do your own data back up of critical personal files to non internet attached storage media that has physical security also, with a duplicate set in another location such as a bank safety deposit box. 
    watto_cobra
  • Reply 3 of 7
    And thus begins the era of awareness that we need to use cryptographic hashes on every single part that goes into a released application, along with a careful certification process that’ll still be limited by humans, to reduce chances of this happening.

    Fun!
    beowulfschmidtwatto_cobra
  • Reply 4 of 7
    M68000 said:
    This kind of thing is another example why you want to do your own data back up of critical personal files to non internet attached storage media that has physical security also, with a duplicate set in another location such as a bank safety deposit box. 
    Great in theory, but an annoying pain in practice...  unless your personal files rarely change.
    watto_cobra
  • Reply 5 of 7
    MplsPMplsP Posts: 3,646member
    Excellent work on Birsan’s part. He deserved the bounty payments he got. I’m glad to see that Apple and other companies are continuing these payments and rewarding people that help make digital systems more secure for everyone.
    watto_cobra
  • Reply 6 of 7
    And thus begins the era of awareness that we need to use cryptographic hashes on every single part that goes into a released application, along with a careful certification process that’ll still be limited by humans, to reduce chances of this happening.

    Fun!
    Some of us have known that for ages. :smile: 

    There is a fairly large number of open source projects that include md5 hashes on their download pages when manually downloading.  Unfortunately, integrating such checking into an automatic build is somewhat harder.  Not insoluble though.
    watto_cobra
  • Reply 7 of 7
    gatorguygatorguy Posts: 23,380member
    M68000 said:
    This kind of thing is another example why you want to do your own data back up of critical personal files to non internet attached storage media that has physical security also, with a duplicate set in another location such as a bank safety deposit box. 
    Like the file cabinets and at-home fire safes we used to rely on? Yeah, I still use those. Print it out and keep a copy in specific file folders at my house if there's value in keeping it handy.

    My Mom when she was alive kept those really important papers in a safety deposit box as a lot of people did. My own fire vault is good enough for me, and right now is not a great time to try to get access to your papers at a bank anyway. My regular branch is all but closed to the public except by appointment.
    edited February 2021
Sign In or Register to comment.