Discover Security researcher Alex Pearsan (Alex BirsanA security vulnerability that allowed him to run the code on the servers of more than 35 technology companies, including Apple, Microsoft, PayPal, Netflix, Shopify, Tesla, and Uber.
The exploitation is deceptively simple, which is something many large software developers need to know how to protect themselves from.
The exploit takes advantage of a relatively simple trick of replacing private packages with public ones.
And when companies build software, they often use open source code written from other people, so they don’t spend time and resources solving a problem that has already been solved.
These publicly available programs can be found in repositories such as: npm, PyPi, and RubyGems.
It is worth noting that Pirsan found that these warehouses can be used to carry out this attack, but the matter is not limited to only the three.
In addition to these public packages, companies often build their own packages, which they do not download, but instead distribute them among their developers, hence Persan found the loophole.
And Pearsan discovered if he could find the names of the private packages used by companies, a task that turns out to be very easy in most cases.
He could upload his own code to a public repository of the same name, and automated companies’ systems use his code instead.
Not only will companies download its package instead of the correct one, but also run the code inside of it.
The companies seemed to agree that the problem was serious, and in his message on Medium, Pearsan wrote that the majority of the rewards for errors awarded were set to the maximum permissible under each program’s policy, sometimes higher.
The researcher received more than $ 130,000 in error bonuses, given his ethical research efforts.
According to Persan, most of the companies I contacted about the exploit were able to quickly patch their systems so that they were not vulnerable.
Microsoft provided a technical document explaining how system administrators can protect companies from these types of attacks, but surprisingly, it took so long for someone to realize that these huge companies were vulnerable to this type of attack.