Many coarse companies such as Microsoft, Shopify and Uber put in their day-to-day work on scripts that are available for download in various open source repositories. This has used a security researcher as a TuroFNER to successfully enter the networks of more than a dozen gross companies.
He has collected his findings in a post. According to him, the companies knew about his research and he has declined, for example, against the background of bug-bounty programs in networks. He calls his approach "Dependency Confusion".
Old method recited
The idea is not completely new, but has a new turn. In the past, criminals repeatedly uploaded in public repositories of, for example, Node, Python or Rubygems in the hope, uploaded that admins in companies download and export the malware scripts.
In order to increase the chances of success, they have changed names of known packages with obvious speech turns (Typosquatting). If an admin is installing on the command line during installation, the script uploaded by the attacker lands on the computer.
This type of attack has expanded the security researcher. During his research, he rely on public code of PayPal on Github. In it he found names of Dependencies, which PayPal uses. In part, these are internally hosted.
Does this work?
Now he asked himself what happened when copying the names and with own code provided with own code in public repositories. He also tried that for further companies and according to him was the success rate "just amazing".
Why this works, he greeted on the example of Python Dependencies as follows: Use the command PIP Install Library with the Argument –Extra-Index URL, it is increasing whether the library to be installed is available locally or via the Internet. If she appears in both places, the version is installed with the higher version number. As a result, the security researcher has provided its predaparied libraries with a very high serial number.
The security researcher indicates that many companies have meanwhile adapted their routines to the use of scripts from repositories so that this method does not work anymore. For this he has a total of 130.000 US dollars in Pramien Uber Bug-Bounty programs earned.