Researcher enters servers of 35 tech companies, runs code


New Delhi, Feb 11 (IANS): A cyber security researcher has utilised a security vulnerability to run code on servers owned by over 35 major tech companies, including Apple, Microsoft, Netflix, Tesla, Uber, Shopify, Yelp and PayPal, the media reported.

According to Bleeping Computer, security researcher Alex Birsan found a security vulnerability that allowed him to run code on those servers in what is touted as a novel software supply chain attack.

Birsan has earned over $130,000 in rewards through bug bounty programmes and pre-approved penetration testing arrangements with these companies.

"I feel that it is important to make it clear that every single organisation targeted during this research has provided permission to have its security tested, either through public bug bounty programs or through private agreements. Please do not attempt this kind of test without authorisation," Birsan was quoted as saying in the report.

Microsoft awarded him their highest bug bounty amount of $40,000 and released a white paper on this security issue.

The tech giant identified the issue as CVE-2021-24105 for their Azure Artifactory product.

The novel software supply chain attack comprised uploading malware to open source repositories, "which then got distributed downstream automatically into the company's internal applications".

The supply chain attack was more sophisticated as it needed no action by the victim, who automatically received the malicious packages.

Apple told Bleeping Computer that Birsan will get a reward via its Security Bounty programme for responsibly disclosing this issue.

PayPal has publicly disclosed Birsan's HackerOne report mentioning the $30,000 bounty amount.

The possibility remains for such attacks to resurface and grow, especially on open-source platforms with no easy solution for dependency confusion, according to the researcher.

"I believe that finding new and clever ways to leak internal package names will expose even more vulnerable systems, and looking into alternate programming languages and repositories to target will reveal some additional attack surface for dependency confusion bugs," the researcher said in his blog post.

  

Top Stories


Leave a Comment

Title: Researcher enters servers of 35 tech companies, runs code



You have 2000 characters left.

Disclaimer:

Please write your correct name and email address. Kindly do not post any personal, abusive, defamatory, infringing, obscene, indecent, discriminatory or unlawful or similar comments. Daijiworld.com will not be responsible for any defamatory message posted under this article.

Please note that sending false messages to insult, defame, intimidate, mislead or deceive people or to intentionally cause public disorder is punishable under law. It is obligatory on Daijiworld to provide the IP address and other details of senders of such comments, to the authority concerned upon request.

Hence, sending offensive comments using daijiworld will be purely at your own risk, and in no way will Daijiworld.com be held responsible.