Min menu


Researcher penetrates more than 35 technology companies through a new attack


Security researcher Alex Birsan discovered a security vulnerability that allowed him to run code through the servers of more than 35 technology companies, including Apple, Microsoft, PayPal, Netflix, Schippy, Tesla, and Uber.

Exploitation is deceptively simple, something many large software developers need to know how to protect themselves from.

Exploitation benefits from a relatively simple trick of replacing packages with generic ones.

When companies build programs, they often use open source code written by other people, so they don't spend time and resources solving a problem that has already been solved.

These programs available to the public can be found in repositories, such as npm, PyPi, and RubyGems.

It is worth noting that Pearson found that these warehouses could be used to carry out this attack, but it is not just the three.

In addition to these public packages, companies often build their own packages, which they do not load, but instead, distribute them among their developers, hence Pearson found the gap.

Pearson found out if he could find the names of the special packages used by companies, a task that turned out to be very easy in most cases.

It could upload its code to a public warehouse of the same name, and automated corporate systems used its code instead.

Companies will not only download their package instead of the correct one but also run the code inside.

Companies seem to agree that the problem is serious, and in his message via The Medium platform, Pearson wrote that the majority of awarded error bonuses were set to the maximum allowed under each program's policy, sometimes higher.

The researcher received more than $130,000 in error rewards, given his ethical research efforts.

According to Pearson, most of the companies contacted about exploitation were able to quickly correct their systems so that they would not be compromised.

Microsoft provided a technical document explaining how system officials can protect companies from these types of attacks, but it's surprising that it took so long for someone to realize that these huge companies were vulnerable to this kind of attack.