Use is permitted by Apple Security Researcher, Microsoft, and PayPal
Security researcher Alex Birsen discovered a vulnerability that allowed him to run the code on servers owned by Apple, Microsoft, PayPal, and more than 30 other companies (by A computer escapes). The exploitation is also simple, and it’s something many great software developers have to figure out how to protect themselves from.
The exploit takes advantage of a relatively simple trick: replace private packages with public packages. When companies build software, they often use open source code written by other people so that they don’t invest time and resources in solving an already solved problem. For example, I worked on sites that had to convert text files into web pages in real time. Instead of writing code to do it ourselves, my team found a program that did it and built it on our site.
These publicly available programs can be found in databases like npm for NodeJS, PyPi for Python, and RubyGems for Ruby. It is worth noting that Pirsan found that these tanks can be used to carry out this attack, but it is not limited to just three.
In addition to these public packages, companies often build their own packages, which they do not download but rather distribute among their developers. This is where Pirsan found the loophole. He discovered that if he could find the names of the private packages that companies use (a task that turned out to be very easy in most cases), he could upload his code to one of the public databases of the same name, and to the companies. Automated systems will use his code instead. Not only will they download its package instead of the correct one, but they will also run the code inside of it.
To illustrate this in the example, imagine you have a Word document on your computer, but when you go to open it, your computer says, “Hey, there is another Word document online with the same name. I’ll open it instead. “Now imagine that a Word document can automatically make changes to your computer. This is not a great position.
The companies seem to agree that the problem is serious. In his middle positionPirsan wrote that “most of the donated quantities were determined by the maximum allowable in the policy of each plan, and sometimes more.” For those unfamiliar, a large number of mistakes are cash bonuses that companies pay to people who find serious mistakes. The more severe the bacteria, the more money they will pay.
According to Pirsan, most of the companies I contacted about the exploit were able to quickly fix their systems so that they were not vulnerable. Microsoft has even Collect white paper Explaining how administrators can protect their companies from such attacks, but surprisingly, it took a long time for someone to realize that these mega corporations are vulnerable to such attacks. Thankfully, that’s not the kind of story that ends up having to update every device in your home right away, but it looks like it will be a long week for admins who now need to change the way their company uses the public code.