Security Researcher Runs His Code On Apple, Microsoft & PayPal's Servers With A Simple Trick

Have you, as a developer, ever wished to run your code on servers either owned by Apple, Microsoft, or PayPal, etc? Well, such a wild idea can happen now all thanks to the Security researcher Alex Birsan figured out a security vulnerability to do the similar trick.

Quite surprisingly, the exploit is extremely simple and now that a lot of people are going to be aware of it, the large software companies will now have to think about protecting themselves immediately.

The trick, precisely, is based on replacing private packages with public ones. We see companies building programs on the basis of open-source code written by other developers. And by doing so, they don’t also spend time or resources on an existing problem that is already solved.

A good example of this can be the conversion of text files to webpages in real-time. Not every developing team writes the code themselves and instead pick up a program and build it into the site.

The worst part is that one can easily find these programs on repositories like npm for NodeJS, PyPi for Python, and RubyGems for Ruby. So, as per Birsan, these repositories are the ones that can be used to carry out the attack - and the number is not only restricted to three.

The companies that don’t pick up these public packages, work on their own private ones and rather than uploading them, they distribute it among the developers.

This is exactly where Birsan played his game to carry out the exploit as he thought that by knowing the name of the private packages which were used by these companies, he had the chance to upload his own code to the public repositories with a similar name, and as a result, companies would use his code through the help of automated systems. Furthermore, chances are that they would also download his package instead of the right one and run the code inside it.

To put it into simple words, let’s suppose you have a Word document on your own computer. But as soon as you opened it, a suggestion popped up “Hey, there’s another Word document on the internet with the same name. I’ll open that one instead.” As the Word document created by you can automatically have changes made by the computer, this can be a difficult situation to deal with then.

Fortunately, companies considered the problem as a serious one. According to Birsan’s Medium post, first bug bounties were set at the maximum amount allowed by each program’s policy. Then, among the companies that he informed about the exploit, the majority of them instantly patched their systems in order to beat the vulnerability.

Microsoft also went one step ahead by issuing a white paper that explains how system administrators can secure their computers from any such attack in the near future. However, it still is so surprising to see that it took companies so long to figure out this vulnerability.

All in all, this week is going to be a long one for the system administrators of large software companies to now make changes in the way their company picks public code.



Previous Post Next Post