Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
👇Check the thread after reading for a few bonus facts👇
medium.com/@alex.birsan/d…
👇Check the thread after reading for a few bonus facts👇
medium.com/@alex.birsan/d…
Scope:
Other than the mentioned .NET bug, only one other team said the finding was out of scope, using this as a reason to reduce the bounty from P1 to P2.
We've also purposely avoided reporting to at least one program that had "internal or development services" listed as OOS
Other than the mentioned .NET bug, only one other team said the finding was out of scope, using this as a reason to reduce the bounty from P1 to P2.
We've also purposely avoided reporting to at least one program that had "internal or development services" listed as OOS
Pytosquatting:
In Python, the 'install' name of a package can be different from the 'import' name. This allows for an unique type of typosquatting attack by uploading under unclaimed import names on PyPI, where it can be downloaded by developers, or even automated tools.
In Python, the 'install' name of a package can be different from the 'import' name. This allows for an unique type of typosquatting attack by uploading under unclaimed import names on PyPI, where it can be downloaded by developers, or even automated tools.
I tried this out against some Google open source projects and it actually got me inside two *.corp.google.com machines.
However, just like typosquatting, this mostly relies on one-off mistakes. Google did not accept it as a valid vuln, and I fully agree with their assessment.
However, just like typosquatting, this mostly relies on one-off mistakes. Google did not accept it as a valid vuln, and I fully agree with their assessment.
Fun fact: those packages are long gone from PyPI but for some reason they are still up on some sort of Chinese mirror, and I still get various callbacks from China to this day.
Finally, a brief look at how each package hosting service responded after seeing the test packages:
* npm - initially deleted a few, stopped after my intentions were clarified
* PyPI - deleted all packages, made it clear that testing this is not allowed
* RubyGems - no reaction
* npm - initially deleted a few, stopped after my intentions were clarified
* PyPI - deleted all packages, made it clear that testing this is not allowed
* RubyGems - no reaction
• • •
Missing some Tweet in this thread? You can try to
force a refresh
