Security researcher hacks Apple, Tesla, Paypal, more, in clever open-source software attack

A security researcher found a clever way to hack Apple, Tesla, and more than 30 other major companies using a novel open-source software approach.

Microsoft, PayPal, Shopify, Netflix, Yelp, and Uber were among the other companies that found their internal systems breached in the proof of concept …

The imaginative approach exploited the fact that the systems of many major companies pull in open-source software from public repositories. Bleeping Computer explains:

The attack comprised uploading malware to open source repositories including PyPI, npm, and RubyGems, which then got distributed downstream automatically into the company’s internal applications.

Unlike traditional typosquatting attacks that rely on social engineering tactics or the victim misspelling a package name, this particular supply chain attack is more sophisticated as it needed no action by the victim, who automatically received the malicious packages. This is because the attack leveraged a unique design flaw of the open-source ecosystems called dependency confusion […]

Last year, security researcher Alex Birsan came across an idea when working with another researcher Justin Gardner. Gardner had shared with Birsan a manifest file, package.json, from an npm package used internally by PayPal.

Birsan noticed some of the manifest file packages were not present on the public npm repository but were instead PayPal’s privately created npm packages, used and stored internally by the company.

On seeing this, the researcher wondered, should a package by the same name exist in the public npm repository, in addition to a private NodeJS repository, which one would get priority?

He soon found the answer: The public packages took priority, so simply uploading fake ones with the same names led to them being automatically downloaded. In some cases, he had to add later version numbers to trigger a download.

The full write-up is worth reading, explaining how Birsan was able to prove that the packages had been installed without triggering any alerts.

Of course, the fake packages were harmless, and Birsan alerted the companies as soon as he got confirmation of a successful infiltration. He received over $130K in bug bounties, with Apple confirming that he will be rewarded by them.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel



Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear