 "Microsoft, Apple, Netflix, Tesla and 31 other companies' internal systems were discovered with security vulnerability")
A security researcher recently discovered a vulnerability that let him access the internal system of 35 companies – which includes tech giants like Microsoft, Apple, Netflix, Tesla, Uber and PayPal – in a novel software supply chain attack. For the attack, the researcher uploaded malware to open source repositories including PyPI, npm, and RubyGems, which were then automatically distributed downstream into the companies’ internal applications. The particular supply chain attack leverages a unique design flaw of the open-source ecosystems – called dependency confusion – and it needs no action by the victim, who automatically receive the malicious packages. The report on the vulnerability discovered by the researcher, Alex Birsan, was first reported by Bleeping Computer. Birsan made use of DNS to exfiltrate the data to bypass detection. [caption id=“attachment_8609131” align=“alignright” width=“1280”]  Representational Image[/caption] Using this technique, Birsan executed a successful supply chain attack against Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, Yelp, and Uber simply by publishing public packages using the same name as the company’s internal ones. “I believe dependency confusion is quite different from typosquatting or brandjacking, as it does not necessarily require any sort of manual input from the victim…Rather, vulnerabilities or design flaws in automated build or installation tools may cause public dependencies to be mistaken for internal dependencies with the exact same name,” Birsan said. The researcher earned over $130,000 in bug bounties for his ethical research. Microsoft awarded him their highest bug bounty of $40,000. PayPal has disclosed that it will be awarding Birsan a $30,000 bounty amount. Another $30,000 reward came from Apple. Birsan added that Shopify awarded a $30,000 bug bounty for finding the issue. Tesla and other companies also rewarded him with their specific bounty programs.
The researcher, Alex Birsan, earned over $130,000 in bug bounties for his ethical research from Microsoft, Apple, PayPal and other companies.
Advertisement
End of Article
 "Charlie Kirk, shot dead in Utah, once said gun deaths are 'worth it' to save Second Amendment")
 "From governance to tourism, how Gen-Z protests have damaged Nepal")
 "Did Russia deliberately send drones into Poland’s airspace?")
 "Netanyahu ‘killed any hope’ for Israeli hostages: Qatar PM after Doha strike")
 "Charlie Kirk, shot dead in Utah, once said gun deaths are 'worth it' to save Second Amendment")
 "From governance to tourism, how Gen-Z protests have damaged Nepal")
 "Did Russia deliberately send drones into Poland’s airspace?")
 "Netanyahu ‘killed any hope’ for Israeli hostages: Qatar PM after Doha strike")
](https://images.firstpost.com/wp-content/uploads/2020/07/Hackers-Coders-Cozy-Bear.jpg){kind=link}