This content originally appeared on Bram.us and was authored by Bramus!
While looking at a package.json from a public project from PayPal, Alex Birsan noticed that it held some references to private NPM packages used internally by PayPal.
Birsan noticed some of the manifest file packages were not present on the public npm repository but were instead PayPal’s privately created npm packages, used and stored internally by the company.
On seeing this, the researcher wondered, should a package by the same name exist in the public npm repository, in addition to a private NodeJS repository, which one would get priority?
As you might have guessed by now:
Should a dependency package used by an application exist in both a public open-source repository and your private build, the public package would get priority and be pulled instead — without needing any action from the developer.
OH. SH*T. ?
Using a preinstall script he then logged some info on his server, cleverly abusing DNS to bypass any firewalling.
Researcher hacks over 35 tech firms in novel supply chain attack →
Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies →
This content originally appeared on Bram.us and was authored by Bramus!
Bramus! | Sciencx (2021-03-02T22:53:03+00:00) Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies. Retrieved from https://www.scien.cx/2021/03/02/dependency-confusion-how-i-hacked-into-apple-microsoft-and-dozens-of-other-companies/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.