Companies Targeted in New ‘Dependency Confusion’ Attack

Alex Birsan, a security researcher has disclosed that systems belonging to Apple, Microsoft, PayPal, and other major tech companies are vulnerable to the new “dependency confusion” attack technique.

Birsan discovered the vulnerability after working with another researcher Justin Gardner last year. 

The researchers shared that a manifest file, package.json, from an npm package used internally by PayPal which had absent manifest file packages on the public npm repository.

Birsan deduced that a similar named public package in the repository would get dependency priority over privately created ones. 

Birsan then created counterfeit packages with the same names but added a disclaimer before uploading them to open source repositories including PyPI, npm, and RubyGems.

The packages were eventually distributed downstream and had their data exfiltration script activated and spread across the network before sending the data back to him stealthily using DNS.

By creating fake packages and placing them in public repositories, Birsan was successfully able to breach Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Yelp, and Uber.

“Knowing that most of the possible targets would be deep inside well-protected corporate networks, I considered that DNS exfiltration was the way to go,” explained Birsan.

Overall, Birsan earned over $130,000 in rewards through bug bounty programs and pen testing contracts.

“While we are treating this as a severe security issue, it ultimately has to be fixed by reconfiguring installation tools and workflows and not by correcting anything in the package repositories themselves,” said Microsoft which was one of the systems found to be vulnerable.


© Fourth Estate® — All Rights Reserved.
This material may not be published, broadcast, rewritten or redistributed.