Presented by Quang and Nikolas
- Justin Gardner and Alex Birsan are two “Bug Bounty Hunters”.
- Bug Bounties: Software organizations will compensate individuals for disclosing any bugs (including security vulnerabilities) found on their platform.
- In the summer of 2020, they were targeting Paypal to see if they could find any security vulnerabilities worth reporting.
- Helps speed up development time, reduce boilerplate code, and avoid “reinventing the wheel”.
- As a result, project becomes “dependent” on these packages for it to work as expected.
- Large projects will likely have many dependencies. How do we keep track of all the 3rd-party code?
- Many languages have adopted a package management system to help developers keep track and manage their dependencies.
- Makes it relatively straightforward to install, update and delete packages stored in repositories.
- For this particular exploit, Alex and Justin only targeted npm, pypi and ruby gems.
- Since npm is so common, it is installed alongside Node.js, JavaScript’s runtime environment. Install Node.js
- Check if npm is installed:
npm -v
- Use npm for your project:
npm init
- Install package (Express in this case):
npm i express
- Install specific version:
npm i express@4.3.0
- Remove package:
npm uninstall express
Justin stumbled upon an interesting piece of code within one of Paypal’s projects on Github:
The packages in red did not appear on npm’s official registry. They seem to be specifically for Paypal, hosted on a private npm repository.
Justin Gardner and Alex Birsan wondered:
"What happens if malicious code is uploaded to npm under these names? Is it possible that some of PayPal’s internal projects will start defaulting to the new public packages instead of the private ones?"
"Would this attack work against other companies too?"
- Create a “malicious” JavaScript package.
- “Malicious” meaning the attack is not actually malicious, per se. Rather, it is meant to be a valid proof of concept to raise enough concern without being too intrusive.
- They settled on collecting information such as username, hostname, IP address, and the file path of the installed package.
- Collect as many private package names as possible.
- Slightly more difficult. They searched for dependency files (e.g. package.json) inside public repositories such as Github and Gitlab. In addition, JavaScript files which often include the names of all dependencies used for that project.
- They were able to gather hundreds of private package names from several companies such as Tesla, Apple, PayPal, Shopify, Uber, Netflix and more.
- Upload the package to npm under the same name as the private dependencies. For example,
auth-paypal
,analytics-paypal
.
- Really easy (which is part of the problem).
- Wait to see if the packages get installed.
- To prove that it worked, log information about the system it was installed on and send it back to Justin and Alex. They settled on collecting information such as username, hostname, IP address, and the file path of the installed package.
- Difficult since large tech companies have intricate firewalls and intrusion detection systems (IDS).
- Responsible for translating domain names to their corresponding IP addresses.
- The vast number of domain names on the Internet today exceed the capacity any one database. DNS follows a distributed model.
- Data gathered by package dependency was encoded into hexadecimal format.
- Before:
{ip: 160.97.6.139, filepath: home/projects/important-project, ... }
- After:
0x60ab7a9756
- Before:
- Alex and Justin preappended the hex code onto a domain name they own.
- Google’s DNS resolver queried an authoritative server that Justin and Alex control. Subdomain was recorded.
- Over 35 organizations installed the “malicious” package (vast majority over 1000 employees).
- ~75% of successful targets were from
npm
packages. This is not to say JavaScript packages are more prone to this sort of attack, rather they are more prevelantin industry. The authors reported a 50% success rate for RubyGems (highest out of all three languages tested).
- Largely remains unclear. Companies involved in the attack were hesitant to share internal details surrounding their private package management systems.
pip install <package-name> --extra-index-url
will check private and public repositories for the specified package. If they both exist, it will default to the higher version.
gem install --source
will work in a similar fashion.
- Microsoft authored a white-paper suggesting ways to prevent this type of attack.
- Alex and Justin received bounties from Shopify, Apple and PayPal, valued at $30,000 each.