Researcher Breaches Systems of Over 35 Companies, Including Apple, Microsoft, and PayPal

A security researcher was able to breach the internal systems of over 35 major companies, including Apple, Microsoft, and PayPal, using a software supply chain attack (via Bleeping Computer).

paypal hack

Security researcher Alex Birsan was able to exploit a unique design flaw in some open-source ecosystems called "dependency confusion" to attack the systems of companies such as Apple, Microsoft, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber.

The attack involved uploading malware to open source repositories including PyPI, npm, and RubyGems, which were then automatically distributed downstream into the various companies' internal applications. Victims automatically received the malicious packages, with no social engineering or trojans required.

Birsan was able to create counterfeit projects using the same names on open-source repositories, each containing a disclaimer message, and found that applications would automatically pull public dependency packages, without needing any action from the developer. In some cases, such as with PyPI packages, any package with a higher version would be prioritized regardless of wherever it was located. This enabled Birsan to successfully attack the software supply chain of multiple companies.

Upon verifying that his component had successfully infiltrated the corporate network, Birsan reported his findings to the company in question, and some rewarded him with a bug bounty. Microsoft awarded him its highest bug bounty amount of $40,000 and released a white paper on this security issue, while Apple told BleepingComputer that Birsan will receive a reward via the Apple Security Bounty program for responsibly disclosing the issue. Birsan has now earned over $130,000 through bug bounty programs and pre-approved penetration testing arrangements.

A full explanation of the methodology behind the attack is available at Alex Birsan's Medium page.

Top Rated Comments

hybrid_x Avatar
17 months ago
I love that ethical hackers can actually earn a decent income through bug bounty programs.
Score: 27 Votes (Like | Disagree)
icanhazmac Avatar
17 months ago
Well played sir, well played!

I'm glad companies have bounty programs to encourage the "good guys" to report vulnerabilities. I have no idea how much time he put into the exploit but 130k is a nice payday.
Score: 16 Votes (Like | Disagree)
Stephen.R Avatar
17 months ago

People put too much trust in open-source community and software and this is the price they pay.
the irony of your statement is superb.

if the packages he spoofed had been open source he wouldn’t have been able to pull it off - it worked specifically because the companies were referencing internal/private packages (thus not open source) and he was able to make fake packages with the same name, in open source package repositories.

This type of shenanigans is just another reason why you should always vendor your dependencies kids.
Score: 12 Votes (Like | Disagree)
Kabeyun Avatar
17 months ago
This reminds me of the Russians hacking SolarWinds. Don’t get to the companies, get to the software the companies use and trust. Of course the irony is that these companies are some of the same ones that have been spending years trying to teach us not to automatically trust downloaded software.
Score: 11 Votes (Like | Disagree)
Blackstick Avatar
17 months ago
Well, time to hire this guy...
Score: 9 Votes (Like | Disagree)
BootsWalking Avatar
17 months ago

People put too much trust in open-source community and software and this is the price they pay.

Open-source software, unless independently audited, have no guarantees of being secure (or even functional). Remember the disclaimer “this software is provided ‘AS IS’...”

They might even contain malicious code, since very few people will actually read the code before executing it.
The issue isn't open source - it's in the distribution model of software dependencies. This vulnerability has been known for quite some time.
Score: 7 Votes (Like | Disagree)

Related Stories

chinafoxconn

Apple Supplier Foxconn Says Shortages Now Easing

Thursday February 10, 2022 5:40 am PST by
Foxconn, the biggest assembler of iPhones, today announced that the component shortages that have constrained the supply of devices over the past two years are now showing signs of easing, Bloomberg reports. The first quarter of 2022 is said to be experiencing a "major improvement" in parts shortages, and "overall supply constraints" are expected to ease in the second half of the year, a...
iPhone 13 Feature Candy Corn

iPhone Was the Most Popular Smartphone in Q4 2021

Tuesday January 18, 2022 5:50 am PST by
iPhones accounted for around one-fifth of all smartphone shipments in the fourth quarter of 2021, allowing Apple to reclaim first place as the biggest smartphone vendor, according to a report from Canalys. Canalys estimates that the iPhone accounted for 22 percent of worldwide smartphone shipments in the fourth quarter of 2021. The scale of Apple's shipments is thanks to strong demand for...
apple logo us flag smooth

Apple to Attend White House Meeting to Discuss Security Risks of Open-Source Software

Thursday January 13, 2022 5:10 am PST by
Apple will be among several U.S. tech giants to attend a meeting at the White House today to discuss cybersecurity and possible security threats posed by open-source software, Reuters reports. The meeting will be held by U.S. National Security Advisor Jake Sullivan and will focus on "concerns around the security of open-source software and how it can be improved." The meeting was prompted by ...
OneDrive

Microsoft OneDrive Gains Native Support for Apple Silicon Macs

Monday February 28, 2022 5:21 pm PST by
Microsoft has been testing a pre-release Apple silicon version of OneDrive since last year, and now the native version of the app is available for all OneDrive users. "We're excited to announce that OneDrive sync for macOS will now run natively on Apple silicon. This means that OneDrive will take full advantage of the performance improvements of Apple silicon," Microsoft said in an...
iphone in box

Man Who Duped Apple into Replacing Fake iPhones for Authentic Devices Worth $1 Million Convicted and Sentenced

Wednesday February 2, 2022 2:24 am PST by
A man has been sentenced to 26 months time served in prison for his involvement in a conspiracy to defraud Apple out of more than $1 million by tricking the company into replacing hundreds of fake iPhones with authentic handsets through its warranty program. Haiteng Wu, 32, a Chinese engineering post-graduate residing in McLean, Virginia, immigrated to the United States in 2013 and secured...
macbook pro sizes space gray

DoJ Arrests Hacker Involved With REvil Group That Stole Apple's MacBook Pro Schematics

Monday November 8, 2021 4:28 pm PST by
The United States Justice Department today announced that it has arrested Ukrainian Yaroslav Vasinskyi for his involvement with REvil, a group that executed ransomware attacks against businesses and government entities in the United States. REvil in April targeted Apple supplier Quanta Computer and stole schematics of the design of the 14 and 16-inch MacBook Pro models that were later...
apple security banner

Apple Outlines How It Will Notify Users Who Have Been Targeted by State-Sponsored Spyware Attacks

Tuesday November 23, 2021 8:15 pm PST by
Earlier today, Apple announced that it had filed suit against NSO Group, the firm responsible for the Pegasus spyware that has been used in state-sponsored surveillance campaigns in a number of countries. NSO Group seeks to take advantage of vulnerabilities in iOS and other platforms to infiltrate the devices of targeted users such as journalists, activists, dissidents, academics, and government...
Apple Logo Cash Orange 1

Former Apple Employee Charged With Defrauding Company of Over $10 Million

Monday March 21, 2022 3:57 am PDT by
A former Apple employee involved in the company's supply chain and responsible for making order purchases and invoicing them back to Apple has been charged by U.S prosecutors for defrauding the tech giant of over $10 million, Reuters reports. According to court filings in San Jose, California seen by Reuters, Dhirendra Prasad, a former employee in Apple's supply chain, is facing five...

Popular Stories

iPhone 14 Purple Lineup Feature

Will the iPhone 14 Be a Disappointment?

Saturday May 21, 2022 9:00 am PDT by
With around four months to go before Apple is expected to unveil the iPhone 14 lineup, the overwhelming majority of rumors related to the new devices so far have focused on the iPhone 14 Pro, rather than the standard iPhone 14 – leading to questions about how different the iPhone 14 will actually be from its predecessor, the iPhone 13. The iPhone 14 Pro and iPhone 14 Pro Max are expected...
iPhone 13 Face ID

'High-End' iPhone 14 Front-Facing Camera to Cost Apple Three Times More

Monday May 23, 2022 7:05 am PDT by
The iPhone 14 will feature a more expensive "high-end" front-facing camera with autofocus, partly made in South Korea for the first time, ET News reports. Apple reportedly ousted a Chinese candidate to choose LG Innotek, a South Korean company, to supply the iPhone 14's front-facing camera alongside Japan's Sharp. The company is said to have originally planned to switch to LG for the iPhone...
iPhone 13 Always On Feature

iPhone 14 Pro Screen Refresh Rate Upgrade Could Allow for Always-On Display

Tuesday May 24, 2022 7:23 am PDT by
Last year's iPhone 13 Pro models were the first of Apple's smartphones to come with 120Hz ProMotion displays, and while the two iPhone 14 Pro models will continue to feature the technology, their screens could well boast expanded refresh rate variability this time round. To bring ProMotion displays to the ‌iPhone 13 Pro models‌, Apple adopted LTPO panel technology with variable refresh...
apple music

Apple Increases Apple Music Subscription Price for Students in Several Countries

Sunday May 22, 2022 1:57 am PDT by
Apple has silently increased the price of its Apple Music subscription for college students in several countries, with the company emailing students informing them their subscription would be slightly increasing in price moving forward. The price change is not widespread and, based on MacRumors' findings, will impact Apple Music student subscribers in but not limited to Australia, the...
EA Apple Maybe Feature

Apple Reportedly Talked With Electronic Arts About Potential Acquisition

Monday May 23, 2022 10:58 am PDT by
Apple is one of several companies that have held talks with Electronic Arts (EA) about a potential purchase, according to a new report from Puck. EA has spoken to several "potential suitors," including Apple, Amazon, and Disney as it looks for a merger arrangement. Apple and the other companies declined to comment, and the status of the talks is not known at this time, but Apple does have an ...
sony headphones 1

Sony's New WH-1000XM5 Headphones vs. Apple's AirPods Max

Friday May 20, 2022 12:18 pm PDT by
Sony this week came out with an updated version of its popular over-ear noise canceling headphones, so we picked up a pair to compare them to the AirPods Max to see which headphones are better and whether it's worth buying the $400 WH-1000XM5 from Sony over Apple's $549 AirPods Max. Subscribe to the MacRumors YouTube channel for more videos. First of all, the AirPods Max win out when it comes ...