Security researcher Alex Birsan has found a security vulnerability that allowed him to run code on servers owned by Apple, Microsoft, PayPal, and over 30 other companies (via Bleeping Computer). The exploit is also deviously simple, and it’s something that many large software developers will have to figure out how to protect themselves from.
The exploit takes advantage of a relatively simple trick: replacing private packages with public ones. When companies are building programs, they often use open-source code written by other people, so they’re not spending time and resources solving a problem that’s already solved. For example, I’ve worked on websites that had to convert text files to webpages in real time. Instead of writing code to do it ourselves, my team found a program that did that and built it into our site.
These publicly available programs can be found on repositories like npm for NodeJS, PyPi for Python, and RubyGems for Ruby. It is worth noting that Birsan found those repositories could be used to carry out this attack, but it’s not limited to just the three.
In addition to these public packages, companies will often build their own private ones, which they don’t upload, but instead distribute among their own developers. This is where Birsan found the exploit. He discovered if he could find the names of the private packages used by companies (a task that turned out to be very easy in most cases), he could upload his own code to one of the public repositories with the same name, and the companies’ automated systems would use his code instead. Not only would they download his package instead of the correct one, but they would also run the code inside it.
To explain this with an example, imagine you had a Word document on your computer, but when you went to open it, your computer said, “Hey, there’s another Word document on the internet with the same name. I’ll open that one instead.” Now imagine the Word document could then automatically make changes to your computer. It’s not a great situation.
It seems like the companies agreed that the problem was serious. In his Medium post, Birsan wrote that “the majority of awarded bug bounties were set at the maximum amount allowed by each program’s policy, and sometimes even higher.” For those unfamiliar, bug bounties are cash rewards companies pay out to people who find serious bugs. The more severe the bug, the more money they’ll pay.
According to Birsan, most of the companies he contacted about the exploit were able to quickly patch their systems so they were no longer vulnerable. Microsoft has even put together a white paper explaining how system administrators can protect their companies from these kinds of attacks, but it’s frankly astonishing that it took this long for someone to figure out that these massive companies were vulnerable to this sort of attack. Thankfully, this isn’t the type of story that ends with you having to immediately update every device in your house, but it seems like it will be a long week for system administrators who now have to change the way their company uses public code.