How your typo can get you hacked?

Have you ever wondered that your simple typing error can get you in trouble If “No” then start wondering because it can and after going through this blog you will get to know how it is possible?

Well, When creating applications in any programming language we use many third-party libraries which are nothing but simple pieces of code written by other users, and to run their code on our machine or on our server we must trust them enough.

Ever since we started learning how to code, We have been fascinated by the level of trust we put in simple command like :

pip install package_name

Some programming languages, like Python, come with an easy, more or less official method of installing dependencies for your projects. These installers are usually tied to public code repositories where anyone can freely upload code packages for others to use.

There are tools that make using these libraries easier like we have npm for JavaScript, pip for Python, or gem for Ruby.

Here, I will keep my focus on Python and pip because most of us are familiar with them but it doesn’t mean that it is not applicable to others it is applicable on all as same.

Let’s suppose we want to install the “requests” library in python all we have to do is simply use the command :

pip install requests

It may seem like installing packages of this kind is safe as they must be official packages or at least verified by someone but it’s not the case. When downloading and using a package from any of these sources, we are basically trusting its publisher to run code on our machine. So can this blind trust be exploited by malicious actors?

Yes they can actually anyone can create their package if their name is not taken

The only thing which is required is just an account on https://pypi.org/ and organizing your project.

Now I think you somewhat get an idea of how your typo can get you hacked if still, you don’t get it then no problem the idea is that malicious attackers can create libraries with simple typos like they can create libraries with names like:

requsts
rquests
reqests
request

and many more like this. All they have to do is to put their Remote execution codes inside them and they simply get your machine an easy win right. This is also applicable for npm or gem accordingly.

So take away from this will be to always check for the spelling especially when getting third-party libraries.

Hope this will be helpful to you :)