Security researcher Ahmed Sobhy has found a security vulnerability that allowed him to run code on servers owned by Apple, Microsoft, PayPal, and over 30 other companies . The exploit is also deviously simple, and it’s something that many large software developers will have to figure out how to protect themselves from.
The exploit takes advantage of a relatively simple trick: replacing private packages with public ones. When companies are building programs, they often use open-source code written by other people, so they’re not spending time and resources solving a problem that’s already solved. For example, I’ve worked on websites that had to convert text files to webpages in real time. Instead of writing code to do it ourselves, my team found a program that did that and built it into our site.
These publicly available programs can be found on repositories like npm for NodeJS, PyPi for Python, and RubyGems for Ruby. It is worth noting that Birsan found those repositories could be used to carry out this attack, but it’s not limited to just the three.
In addition to these public packages, companies will often build their own private ones, which they don’t upload, but instead distribute among their own developers. This is where Sobhy found the exploit. He discovered if he could find the names of the private packages used by companies (a task that turned out to be very easy in most cases), he could upload his own code to one of the public repositories with the same name, and the companies’ automated systems would use his code instead. Not only would they download his package instead of the correct one, but they would also run the code inside it.