 |
| Researcher infiltrated more than 35 tech companies with new attacks |
Security researcher Alex Pearsan discovered a vulnerability that allowed him to execute code on the servers of more than 35 tech companies, including Apple, Microsoft, PayPal, Netflix, Shopify, Tesla and Uber.
The development process seems simple, and many great software developers need to know how to protect themselves.
This vulnerability uses relatively simple technologies to replace software packages of universal software packages.
Additionally, when developing software, companies often use open source code written by others so that they don't spend time or resources solving problems that have already been resolved.
This publicly available software is found in repositories such as npm, PyPi, and RubyGems.
Interestingly, Pearsan indicated that these repositories could be used to carry out this type of attack, but the question is not limited to these three.
In addition to these public packages, companies often create their own packages that are not downloaded but distributed among the developers. So Farsi discovered the vulnerability.
Persan found out if he could find the name of the special package the company was using. In most cases the task was very simple.
He can upload his code to the public repository of the same name, and the automation company system uses his code instead.
In addition to downloading their software instead of the correct one, the company implements the code in them.
The two companies seem to agree the problem is serious. Pirsan wrote in a post on Medium that most bad rewards are set at the maximum amount each program's policies allow, sometimes higher.
As a result of his ethical research, the researcher has earned more than $ 130,000 in bug bonuses.
According to Persan, most of the companies I contacted that were exploiting this vulnerability were able to quickly patch their systems to make them less vulnerable.
Microsoft has released a technical document explaining how system administrators can protect companies from such attacks. Surprisingly, it took a long time before anyone realized that these large companies were vulnerable to such attacks.