Security researcher Alex Birsan has found a security issue that allowed him to run code on servers owned by Apple, Microsoft, PayPal and over 30 other companies (via Bleeding Computer). Utilization is also eerily simple, and it’s something many major software developers need to figure out how to protect themselves from.
Utilization utilizes a relatively simple trick: to replace private packages with public ones. When companies build programs, they often use open source written by other people, so they do not spend time and resources on solving a problem that has already been solved. For example, I worked on websites that had to convert text files to web pages in real time. Instead of writing code to do it myself, my team found a program that did it and built it into our site.
These publicly available programs can be found on repositories such as npm for NodeJS, PyPi for Python and RubyGems for Ruby. It is worth noting that Birsan found that these archives could be used to carry out this attack, but it is not limited to just the three.
In addition to these public packages, companies will often build their own private ones, which they do not upload but instead distribute among their own developers. This is where Birsan found the exploitation. He discovered that if he could find the names of the private packages used by companies (a task that in most cases turned out to be very simple), he could upload his own code to one of the public depots with the same name, and the companies̵
To explain this with an example, imagine you had a Word document on your computer, but when you went to open it, your computer said, “Hi, there is another Word document on the Internet with the same name. I open it instead. Imagine that the Word document could then automatically make changes to your computer. This is not a good situation.
It seems that the companies agreed that the problem was serious. In his Medium post, Birsan wrote that “the majority of bug prizes awarded were set at the maximum amount allowed by each program’s policy, and sometimes even higher.” For the unknown, bugbounties are cash reward companies paying out to people who find serious bugs. The more serious the error, the more money they pay.
According to Birsan, most of the companies he contacted were able to quickly patch their systems so that they were no longer vulnerable. Microsoft has even put together a white paper explaining how system administrators can protect their companies from such attacks, but it is honestly surprising that it took so long before anyone found out that these massive companies were vulnerable to this type of attack. Fortunately, this is not the kind of story that ends up with you having to immediately update every device in your house, but it seems like it will be a long week for system administrators who now have to change the way the company uses public code.