Pulling off an open source supply chain hack might be simpler than you think.
Security researcher Alex Birsan demonstrated this in a new research article posted on Medium Tuesday that investigated a theory: Can the blind trust given to open source packages be exploited by malicious actors? The answer was apparent after he discovered a way to trick enterprise systems into downloading malicious code by simply copying or “squatting” on the names of legitimate open source packages developed and used internally by various enterprises.
According to the research article, Birsan snuck malicious packages into the legitimate open source registries to see if enterprises accidentally updated the software and replaced the real, private package with the fake. By doing research, copying file names and uploading the code he was essentially able to hack into tech giants like Apple and Microsoft.
He dubbed the vulnerability “dependency confusion.”
The discovery began last summer when Birsan and fellow security researcher Justin Gardner were attempting to hack PayPal for a bug bounty; Gardner discovered interesting Node.js source code found on GitHub.
“The code was meant for internal PayPal use, and, in its package.json file, appeared to contain a mix of public and private dependencies — public packages from npm, as well as non-public package names, most likely hosted internally by PayPal. These names did not exist on the public npm registry at the time,” Birsan wrote.
From there, he tested the ability to upload his own “malicious” version of the private Node package to the NPM registry to see whether PayPal would mistakenly upload his version — even though the original Node package was developed internally. Birsan found the technique worked and he could run arbitrary code and exfiltrate data from PayPal servers that had installed his fake NPM package.
Birsan then repeated the technique with other open source software, including Python and Ruby and their respective registries, PyPI (Python Package Index) and RubyGems. The next step was searching for private packages developed internally by the world’s biggest enterprises, including Apple, Microsoft, Tesla, Netflix and Yelp. According to the research article, that search revealed that many other private package names for those companies could be found on GitHub, as well as “inside internal packages which had been accidentally published — and even within posts on various internet forums.”
Impact on enterprises
According to the research article, Birsan detected this type of vulnerability inside more than 35 organizations, including the previously mentioned companies. “The vast majority of the affected companies fall into the 1000+ employees category which most likely reflects the higher prevalence of internal library usage within larger organizations,” Birsan wrote.
“Dependency confusion” impacts enterprises because many times, the system running the open source package does not know which files are internal and which are not. Therefore, it downloads the whole package and when the new version is available, it trusts that all the public and private files are the correct dependencies. Birsan said there are a variety of reasons why the enterprise systems accept the latest packages with blind trust.
“From one-off mistakes made by developers on their machines, to misconfigured internal or cloud-based build servers, to systemically vulnerable development pipelines, one thing was clear: squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds,” Birsan wrote.
Supply chain security for both commercial and open source software has become a major concern in the wake of the SolarWinds supply chain attack. In that incident, nation-state actors spent months performing reconnaissance before planting a backdoor within software updates for the SolarWinds Orion platform, which were issued to thousands of SolarWinds customers last year, including Microsoft.
While Birsan conducted this research prior to the SolarWinds hack, it highlights once again the importance of securing the supply chain.