A cyber security researcher has utilised a security vulnerability to run code on servers owned by over 35 major tech companies, including Apple, Microsoft, Netflix, Tesla, Uber, Shopify, Yelp and PayPal, the media reported.
According to Bleeping Computer, security researcher Alex Birsan found a security vulnerability that allowed him to run code on those servers in what is touted as a novel software supply chain attack. Birsan has earned over $130,000 in rewards through bug bounty programmes and pre-approved penetration testing arrangements with these companies.
"I feel that it is important to make it clear that every single organisation targeted during this research has provided permission to have its security tested, either through public bug bounty programs or through private agreements. Please do not attempt this kind of test without authorisation," Birsan was quoted as saying in the report.
Microsoft awarded him their highest bug bounty amount of $40,000 and released a white paper on this security issue. The tech giant identified the issue as CVE-2021-24105 for their Azure Artifactory product.
Uploading malware to open
The novel software supply chain attack comprised uploading malware to open source repositories, "which then got distributed downstream automatically into the company's internal applications". The supply chain attack was more sophisticated as it needed no action by the victim, who automatically received the malicious packages.
Apple told Bleeping Computer that Birsan will get a reward via its Security Bounty programme for responsibly disclosing this issue. PayPal has publicly disclosed Birsan's HackerOne report mentioning the $30,000 bounty amount.
The possibility remains for such attacks to resurface and grow, especially on open-source platforms with no easy solution for dependency confusion, according to the researcher.
"I believe that finding new and clever ways to leak internal package names will expose even more vulnerable systems, and looking into alternate programming languages and repositories to target will reveal some additional attack surface for dependency confusion bugs," the researcher said in his blog post.