Popular languages such as Node, Python and Ruby have package managers which makes installing prebuilt code a breeze. A security researcher developed a proof-of-concept attack exploiting our inherent trust of public repositories and a vulnerable “feature” in package managers to successfully compromised dozens of companies including Microsoft, Paypal, Apple, Yelp, Uber and Tesla.
Private Package Details Leak
Many development teams leverage external packages from their favourite repositories as well as internally built, proprietary packages hosted within their own private code repositories.
Through accidental uploads to Github and/or misconfigured build servers, internal package details are being leaked out onto the Internet providing attackers with knowledge of internal package names.
Squatters NG
Attackers have long used “typosquatting” to target users through mistyped URLs and more recently have been targeting developers by typosquatting popular packages in public repositories.
The security researcher decided to start create malicious packages with popular internal package names of several large companies and post them on public repositories.
Newer is Not Always Better
Package managers are usually configured to query internal repositories and then public repositories when looking for a specific package.
When the package manager received multiple versions of the same package, by default it chooses the highest version, regardless of the source.
The security researcher found that if he created a malicious package with a higher version number than the official package, his code would supersede the legitimate package from their internal repository and download and install the malicious package from the public repository.
DevOps Tools Perpetuate the Problem
Tools like JFrog Artifactory which are designed to simplify and consolidate multiple repositories into a single virtual code repository mixed with public and private packages are also vulnerable to the dependency confusion attack.
They acknowledge the problem, however have no ETA on a fix.
The Danger of Fake Packages
Malicious dependency confusion packages might fail the build process and likely fail integration testing; however, the security researcher was able to prove that package managers would still run arbitrary code during package installation regardless of failure.
The security researcher’s malicious proof-of-concept packages contained a phone home script that would collect data and then exfiltrate it over covert DNS channels, virtually undetectable.
Original article: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610