In "Dependency Confusion," security researcher @alxbrsn describes how he made a fortune in bug bounties by exploiting a new supply-chain attack he calls "dependency confusion," which allowed him to compromise "Apple, Microsoft and dozens of others."

https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

1/
Dependency Confusion is incredibly, delightfully clever. It is grounded in the fact that software developers rely on "dependencies" (prebuilt, modular code libraries) when they build new versions of their software.

2/
The javascript files used to build new versions are often public, and by looking inside them, you can find out the names of the libraries used to build popular applications, from Uber to Yelp to Netflix.

3/
Now, these libraries are a mix of widely used public libraries and private, in-house ones, and when the software is being built, the system checks both the canonical public archives of code libraries and private company servers.

4/
Birsan's insight was that if he created new, malicious libraries with the same names as the private ones, and put them on the public servers, then the build system might preferentially snag and incorporate his malicious code instead of the private ones.

5/
Some build systems have a weak security measure: if a library is found in more than one repository, the system defaults to the one with the higher version-number, so Birsan gave his libraries version numbers like "9000.0.0."

6/
Birsan was able to attack Python, Ruby and Microsoft .NET-based apps. His reports resulted in fixes to many of the apps involved, but some of the infrastructure tools, like Jfrog Artifactory, still default to an insecure mode, and class his bug report as a "feature request."

7/
And Birsan thinks there's plenty more bug bounties out there waiting to be claimed for attacks like this: "finding new and clever ways to leak internal package names will expose even more vulnerable systems.

8/
"Looking into alternate programming languages and repositories to target will reveal some additional attack surface for dependency confusion bugs"

eof/
ETA - if you'd like to read or share this thread as a blog post, here's a permalink on my http://pluaralistic.net  blog, which is free from surveillance, ads and trackers:

https://pluralistic.net/2021/02/11/rhodium-at-2900-per-oz/#extra-index-url
You can follow @doctorow.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.