Interesting story with a twist.

Gromett · May 12, 2022

In pretty much all hack scenarios I have seen in over 30 odd years of covering this stuff this is the first time I have thought, WOW that is clever I would never have thought of that or even considered it.

A bit technical but I think a few of you might find this interesting.

Backdoor in public repository used new form of attack to target big firms

Dependency confusion attacks exploit our trust in public code repositories.

arstechnica.com

David and Sally · May 12, 2022

Google translate could not put it into English.

John Barrett · May 12, 2022

Gives 'Obfuscate' real meaning!

pappajohn · May 12, 2022

WHOOSH!!!
Straight over my head at Mach 2

Bailey58 · May 12, 2022

Never was so much, not understood by so many. Step forward the few!

Guigsy · May 12, 2022

Translation:

Pretty much all software uses common 'library' code. Why bother to write code to draw a window, interpret a date or decrypt a password when someone else has already written a library to do it for you? Your code just references a library and then builds on top of it. So when you install/build the software, it just grabs a copy of the library and incorporates it in.

People find bugs in libraries all the time, so they get updated. So it's common practice to make your software grab the latest version of the library whenever it gets an opportunity. Less bugs and security issues, right?

Except some genius has realised that you can copy a library, tinker with it so it includes some exploit and bump it's version number higher so it looks like the latest and greatest version. They then convince their target that their hacked library is the legit source, so the computer happily incorporates the nefarious code into their software.

Bingo! You have a backdoor into a piece of software.

Also see:

Dependency

xkcd.com

Richard n Ann · May 12, 2022

How do hackers get in? Don't the coders put in passwords? No password, no entry simple

autorouter · May 12, 2022

Richard n Ann said:
How do hackers get in? Don't the coders put in passwords? No password, no entry simple

That's one way to take control, but not the only way. They want password access so they can tinker with the program code and get it to do what they want. But this method bypasses the password and adds altered code directly to the system program code.

Gromett · May 12, 2022

Guigsy said:
Translation:

Pretty much all software uses common 'library' code. Why bother to write code to draw a window, interpret a date or decrypt a password when someone else has already written a library to do it for you? Your code just references a library and then builds on top of it. So when you install/build the software, it just grabs a copy of the library and incorporates it in.

People find bugs in libraries all the time, so they get updated. So it's common practice to make your software grab the latest version of the library whenever it gets an opportunity. Less bugs and security issues, right?

Except some genius has realised that you can copy a library, tinker with it so it includes some exploit and bump it's version number higher so it looks like the latest and greatest version. They then convince their target that their hacked library is the legit source, so the computer happily incorporates the nefarious code into their software.

Bingo! You have a backdoor into a piece of software.

Also see:

Dependency

xkcd.com

Mostly right, but not quite the full story. They are not copying a public library and bumping the version. This would not work as they could not overwrite the original packages name. Remember they use namespaces as well.

What is happening here is companies are developing their own internal libraries and hosting them on their own internal servers. Hackers are discovering the name, namespace and version of these libraries and publishing an infected version on a public server alongside a bumped version number.

When updates are run, the npm system looks for the latest version of the named package across all available sources. So when it finds a new version on the public server it quite happily installs it.
There are ways to avoid this happening, but if you didn't even think of the problem you can't protect against it. This was a new and clever one for me. If they reserved their namespace name on the public servers this would have prevented it I believe?

I am not an NPM expert, but that is my understanding of it.

Gromett · May 12, 2022

Richard n Ann said:
How do hackers get in? Don't the coders put in passwords? No password, no entry simple

No passwords are required for public npm code repositories otherwise it wouldn't work.

Riverbankannie · May 12, 2022

Bailey58 said:
Never was so much, not understood by so many. Step forward the few!

I’ll step forward in terms of understanding but I couldn’t write the code for it.

Interesting story with a twist.

Gromett

Backdoor in public repository used new form of attack to target big firms

David and Sally

John Barrett

pappajohn

Bailey58

^{_{Subscribers do not see these advertisements}}

Guigsy

Dependency

Richard n Ann

autorouter

Gromett

Dependency

Gromett

^{_{Subscribers do not see these advertisements}}

Riverbankannie

Latest journal entries

Germany/European tour 2023

UK to Cyprus - Week 1, France

First time out