Security researcher Alex Birsan found a major flaw in Microsoft, Netflix, Apple, Tesla and Uber services. The problem lies in the use of open source software. This is reported by 9to5Mac with reference to the Bleeping Computer portal.
The attack involves downloading malware from open source repositories (such as PyPI, npm and RubyGems)used by many tech companies. Unlike traditional hacker attacks, this method does not require social engineering and the intervention of other people besides the hacker.
The download process occurs automatically – for this you just need to fake the name of the malicious program under the name of the software package in the repository. Then add the version number, which will be higher than the current one. This possibility exists due to confusion over the dependencies of the repository files. In simple terms, in order for all elements of the software to work together, it is necessary to maintain integrity, so the repositories, when downloading malicious packages, take them as part of the update and install them.
Of course, Alex uploaded packages to the repositories without any malicious code, but with his experiment he was able to point out the security flaws to IT giants and help them fix them. At the moment, he has received awards in the amount of $ 130 thousand. Apple says that it will soon also pay the craftsman for his work.
If you notice an error, select it with the mouse and press CTRL + ENTER.