What's New

Interesting story with a twist. (1 Viewer)

Gromett

Gromett

Feb 27, 2011
14,778
76,383
UK
Funster No
15,452
MH
Self Build
Exp
Since 2005
In pretty much all hack scenarios I have seen in over 30 odd years of covering this stuff this is the first time I have thought, WOW that is clever I would never have thought of that or even considered it.

A bit technical but I think a few of you might find this interesting.

arstechnica.com

Backdoor in public repository used new form of attack to target big firms

Dependency confusion attacks exploit our trust in public code repositories.
arstechnica.com arstechnica.com
 
Guigsy

Guigsy

Sep 17, 2017
5,523
10,323
Birmingham, UK
Funster No
50,575
MH
A-Class
Exp
2017
Translation:

Pretty much all software uses common 'library' code. Why bother to write code to draw a window, interpret a date or decrypt a password when someone else has already written a library to do it for you? Your code just references a library and then builds on top of it. So when you install/build the software, it just grabs a copy of the library and incorporates it in.

People find bugs in libraries all the time, so they get updated. So it's common practice to make your software grab the latest version of the library whenever it gets an opportunity. Less bugs and security issues, right?

Except some genius has realised that you can copy a library, tinker with it so it includes some exploit and bump it's version number higher so it looks like the latest and greatest version. They then convince their target that their hacked library is the legit source, so the computer happily incorporates the nefarious code into their software.

Bingo! You have a backdoor into a piece of software.

Also see:
xkcd.com

Dependency

xkcd.com xkcd.com
 
A

autorouter

Apr 27, 2016
6,889
8,028
Manchester
Funster No
42,762
MH
A class Hymer
Exp
Since the 80s
Richard n Ann said:
How do hackers get in? Don't the coders put in passwords? No password, no entry simple šŸ¤£
Click to expand...
That's one way to take control, but not the only way. They want password access so they can tinker with the program code and get it to do what they want. But this method bypasses the password and adds altered code directly to the system program code.
 
OP
OP
Gromett

Gromett

Feb 27, 2011
14,778
76,383
UK
Funster No
15,452
MH
Self Build
Exp
Since 2005
Guigsy said:
Translation:

Pretty much all software uses common 'library' code. Why bother to write code to draw a window, interpret a date or decrypt a password when someone else has already written a library to do it for you? Your code just references a library and then builds on top of it. So when you install/build the software, it just grabs a copy of the library and incorporates it in.

People find bugs in libraries all the time, so they get updated. So it's common practice to make your software grab the latest version of the library whenever it gets an opportunity. Less bugs and security issues, right?

Except some genius has realised that you can copy a library, tinker with it so it includes some exploit and bump it's version number higher so it looks like the latest and greatest version. They then convince their target that their hacked library is the legit source, so the computer happily incorporates the nefarious code into their software.

Bingo! You have a backdoor into a piece of software.

Also see:
xkcd.com

Dependency

xkcd.com xkcd.com
Click to expand...
Mostly right, but not quite the full story. They are not copying a public library and bumping the version. This would not work as they could not overwrite the original packages name. Remember they use namespaces as well.

What is happening here is companies are developing their own internal libraries and hosting them on their own internal servers. Hackers are discovering the name, namespace and version of these libraries and publishing an infected version on a public server alongside a bumped version number.

When updates are run, the npm system looks for the latest version of the named package across all available sources. So when it finds a new version on the public server it quite happily installs it.
There are ways to avoid this happening, but if you didn't even think of the problem you can't protect against it. This was a new and clever one for me. If they reserved their namespace name on the public servers this would have prevented it I believe?

I am not an NPM expert, but that is my understanding of it.
 

Join us or log in to post a reply.

To join in you must be a member of MotorhomeFun

Join MotorhomeFun

Join us, it quick and easy!

Join us

Log in

Already a member? Log in here.

Latest journal entries

Funsters who are viewing this thread

Total: 2 (members: 0, guests: 2)
Back
Top