Technology

In this way they ‘hacked’ some of the most important companies in the world like Apple, Microsoft, PayPal, Uber or Tesla.

have got it Hack some of the biggest companies in the world, True business and technology liners that cost large amounts of money Cyber ​​security, And he has done so by finding the security loophole foolish and dangerous. his name is alex birson and he hacked Applemicrosoft, Uberpaypal o Tesla,



My hacker, who has already earned over $130,000 in prizes, tells his story in this blog. Birson points out that some programming languages ​​such as Python have simple installers that are usually in public code repositories where anyone can download them.

For example, he commented, Node has npm, Python uses PyPl – the Python Package Index – and Ruby’s gems can be found on RubyGems. He notes that none of the package hosting services can guarantee that all codes are free. malware, Previous research, he recalls, has shown that typosquatting – An attack that exploits typo versions of popular package names – can be very effective in randomly accessing computers around the world.

They started by hacking PayPal

Birson and his partner Justin Gardner –@Rainorator- tracked down paypal, He found a very interesting piece of Node.js source code on GitHub. the code was intended for internal use of paypal And, in your package.json file, it looks like it has a mix of public and private dependencies: public npm packages, as well as non-public package names, likely hosted internally by PayPal. These names did not exist in the public npm registry at that time.

So, he noted, several questions were asked:

  • What if malicious code is downloaded in npm with these names? Is it possible that some of PayPal’s internal projects start using the new public packages instead of the private ones?
  • Will developers, or even automated systems, start executing code inside libraries?
  • If it works, can we get a bug bounty?
  • Will this attack work against other companies as well?

Without further ado, he insisted, “I started working on a plan to answer these questions.” The idea was to upload my own ‘malicious’ node package with all the unclaimed names to the npm registry, which would ‘call home’ each computer in which they were installed. If any package has finished installing PayPal Owned ServersOr somewhere else, the code inside them will notify you immediately.


Google has launched a test to measure our knowledge of security.

Birson clarifies that “all organizations selected during this investigation have given permission”. test permit for safetyEither through public bug bounty programs or through private deals. Do not attempt this type of test without authorization.”

Fortunately, npm allows arbitrary code to be run automatically when installing packages, making it easy for you to create a node package that collects basic information about each machine installed via its own pre-install scripts. does.


Barcode Scanner is a free app to read barcode and QR.

To strike a balance between the ability to identify an organization based on data and the need to avoid collecting too much sensitive information, it was decided to record only the username, hostname and current path of each unique installation. As with the external IP address, he explains, “this was enough data to help security teams identify potentially vulnerable systems based on my reports, preventing my evidence from being mistaken for an actual attack.” could.”

The Hack Reaches Apple, Yelp and Tesla

with the basic part of the plan Hack the world’s biggest companies Killed, Birson says, “it was time to search for more potential targets.” A few full days of searching private package names belonging to some of the target companies revealed that many other names were found on GitHub, as well as on major package hosting services, within internal packages that were accidentally released, and even that can also be found inside publications. in various internet forum, However, the best place to find private package names was inside JavaScript files.


Illustrative image of 'malware' on a mobile device.

Apparently, it is quite common for internal package.json files, which contain the names of JavaScript projects’ dependencies, to be embedded in public script files during their build process, exposing internal package names. Apple, Yelp and Tesla are just a few examples of companies whose internal names were exposed in this way.,

During the second half of 2020, he continued, “Thanks to the help of @streaak and his remarkable reconnaissance skills, we were able to automatically scan millions of domains belonging to these companies and extract hundreds of additional JavaScript package names, which were not yet claimed in the npm registry. Then I uploaded my code to the hosting service package which found all the names and waited for the callback.

Huge success in hacking big companies

From one-off bugs made by developers on their machines, to erroneously configuring internal or cloud-based build servers, to systematically vulnerable development pipelines, one thing was clear: using valid internal package names. There was almost a certain way. Breached the networks of some of the biggest tech companies,


They can weigh on the final decision, so it's best not to neglect them.  Logically, images in public profiles should be avoided in compromising situations, but networks can also be used to turn them into profit.

This type of vulnerability, “what I began to call” dependency confusion, has been found in over 35 organizations so far, in all three programming languages ​​tested. The vast majority of affected companies are in the 1,000+ employee category, which probably reflects the high prevalence of internal library use in larger organizations.

$90,000 between Apple, PayPal and Shopify

Because JavaScript dependency names are easy to find, about 75% of all recorded callbacks come from npm packages, but this does not mean that Python and Ruby are less vulnerable to attack.


Dark Web.

Canadian e-commerce giant Shopify’s build system Automatically installs a ruby ​​gem called shopify-cloud. The Shopify team worked out a fix and offered a $30,000 reward for finding the problem.

Another $30,000 reward came from Apple after code in a node package uploaded to npm in August 2020 ran on multiple machines within their network. Affected projects appear to be related Apple’s Authentication System, externally known as Apple ID. Other affected companies were Netflix Oh Uber.


The #silhouettechallenge trend has garnered over 220 million views on TikTok.

Birson points out that Microsoft Azure offers a package hosting service called Artifacts. As a result of one of your reports, some minor improvements have been made to the service to ensure that it can provide a reliable solution to vulnerabilities in dependency confusion. Interestingly, he noted, “this problem was not discovered by testing”. Azure Artifacts himself, but Successfully attacking Microsoft’s own cloud-based Office 365And the report came out with the highest possible reward from Azure: $40,000.”

sign up for us News bulletin And get the latest technology news in your email.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button