Researcher breaches Apple, Microsoft, and others with installer attack

Credit: Apple

The attack took advantage of a flaw inherent in many popular installers used by developers to packages and dependencies. By uploading malware to open source repositories, researcher Alex Birsan was able to trick these installers into downloading his malicious code, according to a writeup he posted on Medium.

In the case of Apple, Birsan was able to compromise several machines in the company's internal network after they downloaded malicious code in a Node package that he uploaded to npm, a package manager for JavaScript. Specifically, Birsan was able to breach projects related to the Apple ID authentication system.

Apple told the researcher that the vulnerability could have been used to achieve remote code execution on Apple servers. When Birsan asked whether an attacker could have injected backdoors into Apple ID, the company said that "achieving a backdoor in an operational service requires a more complex sequence of events, and is a very specific term that carries additional connotations."

The Cupertino tech giant fixed the vulnerability within two weeks of disclosure. Although he reported the flaw to Apple in August 2020, Birsan said he had only just received his bug bounty payment prior to the Medium write in February 2021.

The supply chain attack relies on the trust many developers have in these package installers, which can include npm, Python's pip, and Ruby's RubyGems. Another key factor is the use of internal packages that don't exist in public repositories. By uploading a piece of malware under the names of these internally used packages, Birsan was able to fool some programs into downloading his malicious code instead of the legitimate packages. He used DNS to covertly exfiltrate the data.

Birsan only operated within the scope of company bug bounty programs and only collected non-sensitive data from compromised systems, but his research was able to point out flaws in many company's internal configurations.

In total, the researcher discovered dependency confusion vulnerabilities inside 35 organizations to date. The vast majority of them are companies with more than 1,000 employees, which he attributes to the "higher prevalence of internal library usage within larger organizations."

Birsan earned more than $130,000 in bug bounties. Payments of $30,000 each came from Shopify, Apple, and PayPal. In the case of Microsoft, Birsan's research netted him the company's highest amount of $40,000. Microsoft also released a white paper on the issue.

The researcher also believes that the problem will continue to grow.

"Specifically, I believe that finding new and clever ways to leak internal package names will expose even more vulnerable systems, and looking into alternate programming languages and repositories to target will reveal some additional attack surface for dependency confusion bugs," Birsan wrote.