A security researcher has found a problem with the way many programming languages deal with dependencies. By creating new public packages with the same names as those used internally by companies, he managed to add code to the companies’ software.
In his blog, researcher Alex Birsan writes that he was surprised by how much faith programmers have in the dependencies that their software uses. He wondered if there was a way to abuse this and managed to develop one.
Dependencies could be replaced
Birsan found out that programming languages generally look at the public repositories first, before looking for internal packages. By simply publishing his own package with the same name as a package used internally by a company, he was able to add his own code to company software.
This code could then be used, for example, to add a backdoor to the internal networks of companies and steal sensitive data from there, or otherwise cause damage. Birsan has tested his theory on a large number of companies and applications, gaining access to the internal networks of Apple, Microsoft, Netflix, PayPal, Tesla, among more than thirty other companies. Several companies have since fixed the problems and paid out tens of thousands of dollars in bug bounties to Birsan.