Open source blind trust the culprit in ethical breach of 35 companies

Dive Brief:

A security researcher was able to breach 35 companies — including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla and Uber — using a vulnerability dubbed "dependency confusion," according to the researcher Alex Birsan in a writeup on Medium. Before undertaking his research, Birsan was given express permission by the companies to test their security, and was paid in bug bounties.
Birsan took advantage of the "blind trust" between customer and open source code, including Node's npm and the npm registry, Python's pip using Python Package Index and RubyGems. "None of the package hosting services can ever guarantee that all the code its users upload is malware-free," he wrote.
For companies without package managers, Microsoft recommends "configuring the client to reference a single private feed," which could take manually shifting public packages to private, the company said in research published Tuesday on dependency confusion.

Dive Insight:

The scope of the vulnerability was mostly found in large enterprises which rely on open source software to control costs. Though widely used, open source repositories come with an inherent risk.

"Software development firms should ideally be tuned into every change happening within externally sourced software, but in reality this is next to impossible for software projects of even moderate complexity. The problem is that dependency chains can quickly spiral out of control," said Craig Young, principal security researcher at Tripwire, in an email to Cybersecurity Dive.

Engineers aren't expected to comb through thousands of lines of code, because it would defeat the efficiency of using open source.

Birsan's attack is a dependence-chain attack, which often includes attacks like typosquatting and uploading malware under expired dependencies. But Birsan's research does not require human error or social engineering for success.

Over the summer, Birsan and Justin Gardner, a bug bounty hunter, found a combination of public and private dependencies in PayPal's package.json file. The discovery prompted the researchers to test if malicious code uploaded by way of npm would cause PayPal's internal projects to default to new public packages.

"Knowing that most of the possible targets would be deep inside well-protected corporate networks, I considered that DNS exfiltration was the way to go," Birsan said. He used this to test whether the traffic flow would be detected or blocked.

At this point Birsan leveraged other open source repositories, looking for similar clues found in PayPal. "Arguably the most important part of this test was finding as many relevant dependency names as possible," he wrote.

Birsan found "the best place" to find private package names was inside JavaScript files. Internal package.json files have the JavaScript project's dependencies names and are embedded "into public script files during their build process, exposing internal package names." Apple and Tesla were among the companies exposed by this.

After finding some of his target companies' private package names, Birsan concluded that the public package, under the same name as a private build, would be prioritized. And the public package could carry unchecked malicious code.

To prevent an outsider from using a private name, Microsoft encourages companies to use controlled scopes, namespaces or prefixes to protect package names. To prevent forced upgrades or downgrades, the company said to leverage integrity verification for specifying precise package versions.

"Squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there," said Birsan. By doing so, bad actors could leave backdoors for future attacks.

Apple refuted Birsan's finding could lead to a backdoor in Apple ID but did say it was plausible for remote code execution on the company's servers.