Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

The Story of a Novel Supply Chain Attack

Image for post
Image for post
pip install package_name
Image for post
Image for post
Image for post
Image for post

The Idea

While attempting to hack PayPal with me during the summer of 2020, Justin Gardner (@Rhynorater) shared an interesting bit of Node.js source code found on GitHub.

Image for post
Image for post
  • Will developers, or even automated systems, start running the code inside the libraries?
  • If this works, can we get a bug bounty out of it?
  • Would this attack work against other companies too?

“It’s Always DNS”

Thankfully, npm allows arbitrary code to be executed automatically upon package installation, allowing me to easily create a Node package that collects some basic information about each machine it is installed on through its preinstall script.

Image for post
Image for post

The More The Merrier

With the basic plan for the attack in place, it was now time to uncover more possible targets.

Image for post
Image for post

Results

The success rate was simply astonishing.

Image for post
Image for post

“It’s Not a Bug, It’s a Feature”

Despite the large number of dependency confusion findings, one detail was — and still is, to a certain extent — unclear: Why is this happening? What are the main root causes behind this type of vulnerability?

  • Checks whether library exists on the public package index (PyPI)
  • Installs whichever version is found. If the package exists on both, it defaults to installing from the source with the higher version number.
Image for post
Image for post

Future Research?

While many of the large tech companies have already been made aware of this type of vulnerability, and have either fixed it across their infrastructure, or are working to implement mitigations, I still get the feeling that there is more to discover.

Shout-outs

  • @EdOverflow and @prebenve, who independently researched similar types of attacks before I did, but have unfortunately not published their findings yet
  • Justin Gardner (@Rhynorater), for sharing the piece of code that sparked the initial idea, and for proofreading this post
  • @streaak, for helping find many of the vulnerable targets, and being awesome to work with
  • Ettic, the creators of the excellent tool dnsbin, which I have used to log DNS callbacks
  • Ohm M., Plate H., Sykosch A., Meier M. (2020) “Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks”. DIMVA 2020. Lecture Notes in Computer Science, vol 12223. Springer, Cham (source of the supply chain attack tree illustration)
  • All of the companies who run public bug bounty programs, making it possible for us to spend time chasing ideas like this one. Thank you!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store