Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Researcher breaches Apple, Microsoft, and others with installer attack

A security researcher hacked the internal systems of major companies like Apple, Microsoft, PayPal, and others using a supply chain attack he dubbed "dependency confusion."

The attack took advantage of a flaw inherent in many popular installers used by developers to packages and dependencies. By uploading malware to open source repositories, researcher Alex Birsan was able to trick these installers into downloading his malicious code, according to a writeup he posted on Medium.

In the case of Apple, Birsan was able to compromise several machines in the company's internal network after they downloaded malicious code in a Node package that he uploaded to npm, a package manager for JavaScript. Specifically, Birsan was able to breach projects related to the Apple ID authentication system.

Apple told the researcher that the vulnerability could have been used to achieve remote code execution on Apple servers. When Birsan asked whether an attacker could have injected backdoors into Apple ID, the company said that "achieving a backdoor in an operational service requires a more complex sequence of events, and is a very specific term that carries additional connotations."

The Cupertino tech giant fixed the vulnerability within two weeks of disclosure. Although he reported the flaw to Apple in August 2020, Birsan said he had only just received his bug bounty payment prior to the Medium write in February 2021.

The supply chain attack relies on the trust many developers have in these package installers, which can include npm, Python's pip, and Ruby's RubyGems. Another key factor is the use of internal packages that don't exist in public repositories. By uploading a piece of malware under the names of these internally used packages, Birsan was able to fool some programs into downloading his malicious code instead of the legitimate packages. He used DNS to covertly exfiltrate the data.

Birsan only operated within the scope of company bug bounty programs and only collected non-sensitive data from compromised systems, but his research was able to point out flaws in many company's internal configurations.

In total, the researcher discovered dependency confusion vulnerabilities inside 35 organizations to date. The vast majority of them are companies with more than 1,000 employees, which he attributes to the "higher prevalence of internal library usage within larger organizations."

Birsan earned more than $130,000 in bug bounties. Payments of $30,000 each came from Shopify, Apple, and PayPal. In the case of Microsoft, Birsan's research netted him the company's highest amount of $40,000. Microsoft also released a white paper on the issue.

The researcher also believes that the problem will continue to grow.

"Specifically, I believe that finding new and clever ways to leak internal package names will expose even more vulnerable systems, and looking into alternate programming languages and repositories to target will reveal some additional attack surface for dependency confusion bugs," Birsan wrote.



7 Comments

larrya 13 Years · 608 comments

Very creative and effective, but the scary thought is that he probably isn’t the first person to think of doing this. 

M68000 7 Years · 887 comments

This kind of thing is another example why you want to do your own data back up of critical personal files to non internet attached storage media that has physical security also, with a duplicate set in another location such as a bank safety deposit box. 

anonconformist 9 Years · 200 comments

And thus begins the era of awareness that we need to use cryptographic hashes on every single part that goes into a released application, along with a careful certification process that’ll still be limited by humans, to reduce chances of this happening.

Fun!

OctoMonkey 4 Years · 343 comments

M68000 said:
This kind of thing is another example why you want to do your own data back up of critical personal files to non internet attached storage media that has physical security also, with a duplicate set in another location such as a bank safety deposit box. 

Great in theory, but an annoying pain in practice...  unless your personal files rarely change.

MplsP 8 Years · 4047 comments

Excellent work on Birsan’s part. He deserved the bounty payments he got. I’m glad to see that Apple and other companies are continuing these payments and rewarding people that help make digital systems more secure for everyone.