2 min

A security researcher has found a problem with the way many programming languages deal with dependencies. By creating new public packages with the same names as those used internally by companies, he managed to add code to the companies’ software.

In his blog, researcher Alex Birsan writes that he was surprised by how much faith programmers have in the dependencies that their software uses. He wondered if there was a way to abuse this and managed to develop one.

Dependencies could be replaced

Many companies make part of their software open source available, making it easy to read which dependencies are used. This proved particularly easy in the case of javascript. The dependencies of some of the software that is not open source can also be viewed. A part of these dependencies consists of public packages, and other packages are developed internally by the companies.

Birsan found out that programming languages generally look at the public repositories first, before looking for internal packages. By simply publishing his own package with the same name as a package used internally by a company, he was able to add his own code to company software.

Bug bounties

This code could then be used, for example, to add a backdoor to the internal networks of companies and steal sensitive data from there, or otherwise cause damage. Birsan has tested his theory on a large number of companies and applications, gaining access to the internal networks of Apple, Microsoft, Netflix, PayPal, Tesla, among more than thirty other companies. Several companies have since fixed the problems and paid out tens of thousands of dollars in bug bounties to Birsan.

Tip: Update patches actively exploited zero-day in Windows