Researcher Breaches Systems of Over 35 Companies, Including Apple, Microsoft, and PayPal

by

A security researcher was able to breach the internal systems of over 35 major companies, including Apple, Microsoft, and PayPal, using a software supply chain attack (via Bleeping Computer).

paypal hack

Security researcher Alex Birsan was able to exploit a unique design flaw in some open-source ecosystems called "dependency confusion" to attack the systems of companies such as Apple, Microsoft, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber.

The attack involved uploading malware to open source repositories including PyPI, npm, and RubyGems, which were then automatically distributed downstream into the various companies' internal applications. Victims automatically received the malicious packages, with no social engineering or trojans required.

Birsan was able to create counterfeit projects using the same names on open-source repositories, each containing a disclaimer message, and found that applications would automatically pull public dependency packages, without needing any action from the developer. In some cases, such as with PyPI packages, any package with a higher version would be prioritized regardless of wherever it was located. This enabled Birsan to successfully attack the software supply chain of multiple companies.

Upon verifying that his component had successfully infiltrated the corporate network, Birsan reported his findings to the company in question, and some rewarded him with a bug bounty. Microsoft awarded him its highest bug bounty amount of $40,000 and released a white paper on this security issue, while Apple told BleepingComputer that Birsan will receive a reward via the Apple Security Bounty program for responsibly disclosing the issue. Birsan has now earned over $130,000 through bug bounty programs and pre-approved penetration testing arrangements.

A full explanation of the methodology behind the attack is available at Alex Birsan's Medium page.

Tags: cybersecurity, bug bounty

Top Rated Comments

hybrid_x Avatar
hybrid_x
4 weeks ago
I love that ethical hackers can actually earn a decent income through bug bounty programs.
Score: 27 Votes (Like | Disagree)
icanhazmac Avatar
icanhazmac
4 weeks ago
Well played sir, well played!

I'm glad companies have bounty programs to encourage the "good guys" to report vulnerabilities. I have no idea how much time he put into the exploit but 130k is a nice payday.
Score: 16 Votes (Like | Disagree)
Stephen.R Avatar
Stephen.R
4 weeks ago

People put too much trust in open-source community and software and this is the price they pay.
the irony of your statement is superb.

if the packages he spoofed had been open source he wouldn’t have been able to pull it off - it worked specifically because the companies were referencing internal/private packages (thus not open source) and he was able to make fake packages with the same name, in open source package repositories.

This type of shenanigans is just another reason why you should always vendor your dependencies kids.
Score: 12 Votes (Like | Disagree)
Kabeyun Avatar
Kabeyun
4 weeks ago
This reminds me of the Russians hacking SolarWinds. Don’t get to the companies, get to the software the companies use and trust. Of course the irony is that these companies are some of the same ones that have been spending years trying to teach us not to automatically trust downloaded software.
Score: 11 Votes (Like | Disagree)
Blackstick Avatar
Blackstick
4 weeks ago
Well, time to hire this guy...
Score: 9 Votes (Like | Disagree)
BootsWalking Avatar
BootsWalking
4 weeks ago

People put too much trust in open-source community and software and this is the price they pay.

Open-source software, unless independently audited, have no guarantees of being secure (or even functional). Remember the disclaimer “this software is provided ‘AS IS’...”

They might even contain malicious code, since very few people will actually read the code before executing it.
The issue isn't open source - it's in the distribution model of software dependencies. This vulnerability has been known for quite some time.
Score: 7 Votes (Like | Disagree)
Read All Comments

Top Stories

bloodoxygenapplewatch

Apple Watch Series 7 to Gain Breakthrough New Health Feature

Friday March 5, 2021 5:34 am PST by
Apple is reportedly planning to bring a new, first-of-its-kind health technology to the Apple Watch Series 7, in what could be a breakthrough for managing conditions such as diabetes more easily. According to a recent report from ETNews, the Apple Watch Series 7 will feature blood glucose monitoring via a non-invasive optical sensor. Measuring blood glucose levels, also known as blood...
Read Full Article
apple transfer google photos 1

Apple Launches Service for Transferring iCloud Photos and Videos to Google Photos

Wednesday March 3, 2021 12:04 pm PST by
Apple this week introduced a new service that's designed to make it quick and easy for iCloud users to transfer their stored photos and videos to Google Photos. As outlined in an Apple support document, you can go to Apple's privacy website and sign in to see the "Transfer a copy of your data" option. If you select this and go through all the steps, Apple will transfer your iCloud photos and ...
Read Full Article195 comments
imac pro featured black

Apple Confirms iMac Pro Will Be Discontinued When Supplies Run Out, Recommends 27-Inch iMac

Saturday March 6, 2021 7:33 am PST by
Apple on late Friday evening added a "while supplies last" notice to its iMac Pro product page worldwide, and removed all upgrade options for the computer, leaving only the standard configuration available to order for now. We've since confirmed with Apple that when supplies run out, the iMac Pro will no longer be available whatsoever. Apple says the latest 27-inch iMac introduced in August...
Read Full Article273 comments
Oled iPads and MackBook Pro

OLED 10.9-Inch iPad Rumored for Early 2022, 12.9-Inch iPad Pro and 16-Inch MacBook Pro Could Follow

Thursday March 4, 2021 8:37 pm PST by
Earlier today, DigiTimes shared a preview of an upcoming report claiming that Apple is working on both iPad and Mac notebook models with OLED displays that could launch starting in 2022. The full report from DigiTimes is now available, and it includes several new alleged details about Apple's plans. According to the report, the first of these devices to adopt an OLED display is likely to be...
Read Full Article110 comments
apple products refurbished store banner

Class Action Lawsuit Over Apple Providing Refurbished Replacement Devices Proceeding to Trial in August

Friday March 5, 2021 9:53 am PST by
Initially filed in 2016, a class action lawsuit that accuses Apple of violating the Magnusson-Moss Warranty Act, Song-Beverly Consumer Warranty Act, and other U.S. laws by providing customers with refurbished replacement devices is set to proceed to trial August 16, according to a notice this week from law firm Hagens Berman Sobol Shapiro LLP. Apple's repair terms and conditions state that,...
Read Full Article168 comments
iPhone 13 Notch Feature2

iPhone 13 Rumor Recap: Smaller Notch, Larger Batteries, 120Hz for Pro Models, Improved 5G, Wi-Fi 6E, and More

Friday March 5, 2021 8:20 am PST by
While we are likely at least six months away from Apple unveiling the so-called iPhone 13 lineup, rumors about the devices are starting to accumulate, so we've put together this recap of everything that is expected so far. The upcoming iPhone 13 lineup will consist of the same four models and the same screen sizes as the iPhone 12 lineup, according to reputable analyst Ming-Chi Kuo,...
Read Full Article124 comments
maxresdefault

What's on Your iPhone Home Screen?

Thursday March 4, 2021 10:31 am PST by
Over on our YouTube channel, MacRumors videographer Dan has a new video up where he shares his Home Screen, wallpaper, and all of his current favorite widgets. Subscribe to the MacRumors YouTube channel for more videos. Check out Dan's video to see his setup, and then comment below and show us your own Home Screens. It's always fun to see other peoples' Home Screens, and with widgets and...
Read Full Article89 comments
OLED iPad Pro and MacBook Pro

iPad and MacBook Models With OLED Displays Rumored to Launch in 2022

Thursday March 4, 2021 8:19 am PST by
Apple plans to release new iPad and MacBook models with OLED displays in 2022, according to industry sources cited by Taiwanese supply chain publication DigiTimes. The information was shared in the site's paywalled "Before Going to Press" section, so there are no further details yet, but the full report should be released by tomorrow. Apple has gradually increased its adoption of OLED...
Read Full Article106 comments
Top Stories 48

Top Stories: iPhone 13 Leaks, OLED iPads and Macs, New AirTags Evidence

Saturday March 6, 2021 6:00 am PST by
iPhone rumors are heating up, with noted analyst Ming-Chi Kuo this week releasing a wide-ranging report outlining his expectations for the iPhone lineup over the next three years. This week also saw rumors about OLED displays potentially coming to iPad and Mac starting next year, increasing signs of AirTags functionality in iOS 14.5 betas, and more, so check out all of the details below! i...
Read Full Article48 comments
imac pro while supplies last

iMac Pro No Longer Custom Configurable, Available 'While Supplies Last'

Friday March 5, 2021 10:14 pm PST by
Apple appears to be on the verge of discontinuing the iMac Pro, with the store page for the high-end all-in-one Mac including a "While supplies last" tagline and only the base model with no custom configurations available for purchase. The iMac Pro launched in December 2017, and while there have been a few tweaks to the available configurations over the years, it has received no substantial...
Read Full Article137 comments