Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
52,093
13,710


A security researcher was able to breach the internal systems of over 35 major companies, including Apple, Microsoft, and PayPal, using a software supply chain attack (via Bleeping Computer).

paypal-hack.jpg


Security researcher Alex Birsan was able to exploit a unique design flaw in some open-source ecosystems called "dependency confusion" to attack the systems of companies such as Apple, Microsoft, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber.

The attack involved uploading malware to open source repositories including PyPI, npm, and RubyGems, which were then automatically distributed downstream into the various companies' internal applications. Victims automatically received the malicious packages, with no social engineering or trojans required.

Birsan was able to create counterfeit projects using the same names on open-source repositories, each containing a disclaimer message, and found that applications would automatically pull public dependency packages, without needing any action from the developer. In some cases, such as with PyPI packages, any package with a higher version would be prioritized regardless of wherever it was located. This enabled Birsan to successfully attack the software supply chain of multiple companies.

Upon verifying that his component had successfully infiltrated the corporate network, Birsan reported his findings to the company in question, and some rewarded him with a bug bounty. Microsoft awarded him its highest bug bounty amount of $40,000 and released a white paper on this security issue, while Apple told BleepingComputer that Birsan will receive a reward via the Apple Security Bounty program for responsibly disclosing the issue. Birsan has now earned over $130,000 through bug bounty programs and pre-approved penetration testing arrangements.

A full explanation of the methodology behind the attack is available at Alex Birsan's Medium page.

Article Link: Researcher Breaches Systems of Over 35 Companies, Including Apple, Microsoft, and PayPal
 

Kabeyun

macrumors 68040
Mar 27, 2004
3,018
5,678
Eastern USA
This reminds me of the Russians hacking SolarWinds. Don’t get to the companies, get to the software the companies use and trust. Of course the irony is that these companies are some of the same ones that have been spending years trying to teach us not to automatically trust downloaded software.
 
Comment

singularity0993

macrumors newbie
Oct 15, 2020
10
23
People put too much trust in open-source community and software and this is the price they pay.

Open-source software, unless independently audited, have no guarantees of being secure (or even functional). Remember the disclaimer “this software is provided ‘AS IS’...”

They might even contain malicious code, since very few people will actually read the code before executing it.
 
Comment

BootsWalking

macrumors 65816
Feb 1, 2014
1,375
8,080
People put too much trust in open-source community and software and this is the price they pay.

Open-source software, unless independently audited, have no guarantees of being secure (or even functional). Remember the disclaimer “this software is provided ‘AS IS’...”

They might even contain malicious code, since very few people will actually read the code before executing it.
The issue isn't open source - it's in the distribution model of software dependencies. This vulnerability has been known for quite some time.
 
Comment

rpmurray

macrumors 6502
Feb 21, 2017
349
776
Back End of Beyond
So Apple doesn't need to add backdoors for the feds since that already comes pre-packaged in the open-source software they use but don't monitor for malware. I'm wondering if the NSA is ticked that this avenue has been exposed or ticked that they didn't think of it themselves.
 
Comment

Stephen.R

macrumors 68040
Nov 2, 2018
3,282
3,544
Thailand
People put too much trust in open-source community and software and this is the price they pay.

the irony of your statement is superb.

if the packages he spoofed had been open source he wouldn’t have been able to pull it off - it worked specifically because the companies were referencing internal/private packages (thus not open source) and he was able to make fake packages with the same name, in open source package repositories.

This type of shenanigans is just another reason why you should always vendor your dependencies kids.
 
Comment

apparatchik

macrumors 6502
Mar 6, 2008
349
1,004
$40k? Pay him more. At least 10x that. Someone else with bad intentions will surely pay him millions in BTC for his services.

yeah but then he would be enabling criminal activities and might be liable, I agree though the value of his disclosures seems way higher than the bounties he's claiming.
 
  • Like
Reactions: amartinez1660
Comment

nikaru

macrumors 6502a
Apr 23, 2009
749
755
$40k? Pay him more. At least 10x that. Someone else with bad intentions will surely pay him millions in BTC for his services.
Dont worry about him. Im sure top hackers have generous recruitment offers raining over them from small and big tech companies, security firms and similar enterprises and can live a very decent life without the need to look behind their shoulder for FBI agents every single day. The good guys know that serving 25 years in federal prison isnt worth even a hundreds of BTC. Recently I saw an interview on the TV with one of these hackers. He was working from home in shorts for a 3-4 hours a day and he was earnings close to half a million a year as a security researcher. Plenty of money to have a big house, nice car and freedom to do whatever you want in your life without jeopardizing everything to end up living in constant fear. Believe me, the bad guys dont do what they do for the money, they do it for the thrill. Big bounties cant fix that.
 
Comment

aesc80

macrumors 6502a
Mar 24, 2015
918
1,913
This is a phenomenal article. I still liked the "trusting too much into opensource dependencies", as its still a prevalent problem, but the sheer laziness of some companies separating public to private and their code registry is scary. It has all the feels of running a blacklist (who do I ban?) vs. whitelist (who do I allow) [or whatever the new terminology is]. Whitelisting is a massive pain, but it simply works, so long as they're not wildcarding.

Just the thought that even this passed through Apple is a stern reminder - you might get privacy, but its gone when all the security is peeled away.
 
Comment

lkrupp

macrumors 65816
Jul 24, 2004
1,146
1,900
It’s a hot war arms race and the bad guys are winning apparently. Over 35 companies compromised (ethically reported though). Can there be any doubt that this expoit was already known by the black hats? Is this how Huawei always manages to rip off Apple’s designs and IP?
 
Comment

Robert.Walter

macrumors 68000
Jul 10, 2012
1,676
1,854
Dont worry about him. Im sure top hackers have generous recruitment offers raining over them from small and big tech companies, security firms and similar enterprises and can live a very decent life without the need to look behind their shoulder for FBI agents every single day. The good guys know that serving 25 years in federal prison isnt worth even a hundreds of BTC. Recently I saw an interview on the TV with one of these hackers. He was working from home in shorts for a 3-4 hours a day and he was earnings close to half a million a year as a security researcher. Plenty of money to have a big house, nice car and freedom to do whatever you want in your life without jeopardizing everything to end up living in constant fear. Believe me, the bad guys dont do what they do for the money, they do it for the thrill. Big bounties cant fix that.
Nothing like leveraging the threat of a long prison stretch to keep downward pressure on bug bounties.
 
Comment

Unregistered 4U

macrumors 68020
Jul 22, 2002
2,482
1,569
The attack involved uploading malware to open source repositories including PyPI, npm, and RubyGems, which were then automatically distributed downstream into the various companies' internal applications. Victims automatically received the malicious packages, with no social engineering or trojans required.
NO TROJANS REQUIRED except for, you know, the trojan put inside the open source repositories. This sounds like the kind of thing that EVERYONE knows about and the majority of Security Researchers are like “of course this is an exploit, duh.”

One Security Researcher however, who’s not getting enough attention/money? (because he’s not somewhere working on truly HARD problems) decides they want to make a name for themselves. No, THIS is not the Security Researcher you hire. You hire the one who figures out how a hardened system can be infiltrated. THIS is the one you just pay a bug bounty to. They’re worth that much, they’re not worth a salary and benefits :)
 
Last edited:
  • Angry
Reactions: NetMage
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.