- Alex Birsan discovered a security vulnerability allowing him to run code on servers.
- Vulnerabilities were found in Apple, Microsoft, PayPal along with 30 other companies’ systems.
- Most companies were able to patch their systems quickly enough.
Security vulnerabilities were discovered by security researcher Alex Birsan. It allowed him to run code on servers owned by Apple, Microsoft, PayPal, and over 30 other companies. The vulnerability is also deviously easy. It’s something that many major developers of software would have to find out how to defend themselves against. Birsan published a long post on his research on Tuesday. Also, he’s been paid over $130,000 as bug bounties from the above companies.
The surprisingly easy trick takes advantage of the exploit: substituting private packages for public ones. They also use open-source code written by other people while businesses are developing projects. Developers had to convert text files to web pages in real-time. One can find these freely accessible programs in repositories, such as npm for NodeJS, PyPi for Python, and RubyGems for Ruby. Birsan discovered that it was possible to use those repositories to carry out this attack.
How Birsan found the vulnerabilities?
Companies will also create their private packages in addition to these public packages. They do not upload these but distribute them among their developers instead. This is where Birsan observed the exploit. He found he could upload his code to one of the public repositories of the same name. And the company’s automated systems will use his code. Instead, if he could find the names of the private packages used by businesses (a job that turned out to be quite simple in most cases). They would not only download his package instead of the right one, but they would run the code inside it as well.
Imagine you had a Word document on your computer to clarify this with an example, but when you went to open it, your computer said, “Oh, there’s another Word document with the same name on the internet. Instead, I’ll open that one.” Now imagine that the Word document might make changes to your computer automatically.” The businesses seem to have decided that the issue was critical. For those unfamiliar, bug bounties are cash incentives companies that payout to individuals who discover significant bugs. The more serious a bug is, the more money they’ll pay for it.
Vulnerabilities were patched soon
Most of the companies he contacted about the hack were able to patch their systems quickly enough. Thus, they were no longer vulnerable. Microsoft has also compiled a white paper outlining how system administrators can defend their businesses from attacks of this nature. But, it’s honestly incredible that it took anyone this long to find out that these large businesses were vulnerable to this kind of attack. Fortunately, this is not the kind of story that ends in you having to upgrade every computer in your house instantly, but it seems like it’s going to be a long week for system administrators who need to change the way their business uses public code now.
After carefully reading the code that companies submitted to open-source repositories hosted by businesses including GitHub, Birsan carried out the hacks, he said in the blog post. Birsan discovered that when analyzing PayPal’s code with a fellow researcher, it contained both public dependencies, or lines that would automatically trigger public code found on open source repositories, as well as private dependencies that appeared to be internally hosted reference code.
Bug Bounties earned by Alex
These include Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Yelp, and Uber. After he disclosed them, each company was able to fix the vulnerabilities on their own systems. He received over $130,000 in bug bounties. Thes includes $30,000 from PayPal and $ 40,000 from Microsoft. Apple also told him just this week that via their bounty scheme, he will earn $30,000.
Experts say companies should take specific measures to eliminate the risk of similar attacks. Businesses should customize their code in a white paper published on Birsan’s findings, said Microsoft. They should prioritize private packages over public ones with the same names. Also, narrow the reach of public packages on which they depend. According to a blog post by Ax Sharma, a security researcher with the enterprise software company Sonatype, businesses may also try to avoid similar attacks by preemptively “typosquatting” their own goods by modifying the spelling of words uploaded to public repositories. The incident should act as a wake-up call for businesses using open source technology.