Alex Birsan, a Romanian threat researcher, recently made over $130,000 by virtuously breaking into IT systems at dozens of major tech companies.
Birsan used a single innovative supply chain attack to compromise Tesla, Netflix, Microsoft, Apple, Paypal, Uber, Yelp, and at least 30 other firms. In the process, the researcher exposed a major vulnerability and earned large sums via multiple bug bounties—the fees companies pay “white hat” hackers who successfully test their online defenses.
How Birsan did it is pretty interesting. It involves the manipulation of code in development projects, specifically dependencies—certain augmentative code that is used to successfully run a program. Threatpost notes that the attack would inject malicious code “into common tools for installing dependencies in developer projects which typically use public depositories from sites like GitHub. The malicious code then uses these dependencies to propagate malware through a targeted company’s internal applications and systems.”
This is all pretty complicated, but essentially, Birsan discovered that some code packages internal to large companies were being unintentionally published in public repositories, like Github, due to a variety of reasons, including “misconfigured internal or cloud-based build servers” and “systemically vulnerable development pipelines,” among other things. Birsan also discovered that automated build tools, which are used by companies during development, would sometimes “mistake” this public code for internal code if packages had the same name.
As a result, an attacker could potentially upload “malware to open source repositories” that would then be automatically slipped into a company’s system, according to BleepingComputer. These malicious, counterfeit code packages would allow a malefactor to execute arbitrary code or could be used to add “backdoors inside the affected project(s) during the build process,” Birsan said in a recent run-down of how Yelp had been affected.
For example, Paypal published a note about Birsan’s discoveries, explaining what had happened in its case:
...certain development projects defaulted to the public NPM registry, instead of using the intended internal packages. Since the packages on the public registry did not exist, the researcher created these and observed they were downloaded. Had these packages been registered with malicious intent, it is possible for internal development to have included this code. While there are additional checks and controls in the development pipeline, this could have caused significant issues for internal systems. Thanks to the researcher’s report, PayPal was able to mitigate the issue with the public registry and confirmed no evidence of prior malicious activity.
Birsan has dubbed this vulnerability “dependency confusion,” which he said in a recent blog post, “was detected inside more than 35 organizations to date, across all three tested programming languages. The vast majority of the affected companies fall into the 1000+ employees category, which most likely reflects the higher prevalence of internal library usage within larger organizations.” He clarified to BleepingComputer that the exploit involves “vulnerabilities or design flaws in automated build or installation tools [that] may cause public dependencies to be mistaken for internal dependencies with the exact same name.”
When Birsan began leveraging this strategy last year, security firm Sonatype began flagging the packages he was sending as malware, the company recently reported, but Birsan quickly reached out and notified them of his ongoing research, explaining that an official disclosure about the vulnerability would be upcoming in 2021.
Birsan’s successful hacks have earned him multiple bug bounties and the gratitude of a number of large tech companies.
“I feel that it is important to make it clear that every single organization targeted during this research has provided permission to have its security tested, either through public bug bounty programs or through private agreements. Please do not attempt this kind of test without authorization,” Birsan wrote in the blog post.
Birsan, who previously worked as a Python engineer with Bitdefender and has spent the last three years as a self-employed IT security consultant, further noted that this type of vulnerability he discovered has the potential to become a much bigger problem in the future.
“I believe that finding new and clever ways to leak internal package names will expose even more vulnerable systems, and looking into alternate programming languages and repositories to target will reveal some additional attack surface for dependency confusion bugs,” Birsan wrote.