Introduced an astonishingly simple dependency attack method in applications that use internal package repositories. The researchers who identified the problem were able to execute their code on the internal servers of 35 companies, including PayPal, Microsoft, Apple, Netflix, Uber, Tesla, and Shopify. The hacks were carried out within the framework of the programs Bug Bounty , in coordination with the attacked companies, and have already brought the authors $ 130 thousand, paid in the form of rewards for identifying vulnerabilities (payments continue ).
The method is based on the fact that many companies use dependencies from the standard repositories of NPM, PyPI and RubyGems, as well as internal dependencies that are not publicly distributed and downloaded from their own repositories. The problem is that package managers such as npm, pip and gem try to download internal company dependencies, including from public repositories. For an attack, it is enough to define the names of packages with internal dependencies and create your own packages with the same names in the public repositories of NPM, PyPI and RubyGems. The problem is not specific to NPM, PyPI and RubyGems, and also manifests itself in other systems such as NuGet, Maven and Yarn.
The idea of the proposed method appeared after the researcher
I accidentally noticed that in the publicly available code published on GitHub, many companies do not clear the mention of additional dependencies from their manifest files that are used in internal projects or when implementing extended functionality. Similar traces were found in Node.JS, Python and Ruby projects of many companies and the researcher decided to experiment with hacking the infrastructure of these companies within the framework of existing programs.
Bug Bounty. All published duplicate packages were accompanied by a note of the study.
The results were surprisingly effective and the researcher was able to execute his code on many servers responsible for building or testing based on continuous integration systems. When downloading dependencies, the npm, pip, and gem package managers primarily installed packages from the primary public repositories NPM, PyPI and RubyGems, which were considered to be of higher priority. The presence of similar packages with the same names in the private company repositories was ignored without displaying any warning or crashing. In PyPI, the download priority was influenced by the version number (regardless of the repository, the most recent version of the package was downloaded).
In NPM and RubyGems, priority only depended on the repository.