According to a warning published by Microsoft products on Tuesday, a new one technique attack called "addiction confusion"Or"substitution attack»(Dependency confusion), can be used to contaminates the process of creating applications in corporate environments.
The attack technique is based on elements such as package managers, public and private package warehouses and manufacturing processes.
This application can be offered to the company's customers or can be used internally in the company as tool for its employees.
However, some of these applications may also contain a proprietary or highly sensitive code, depending on their nature. For these applications, companies often use private libraries that store in a private (internal) package repository, hosted within the company network.
When company developers create applications, they combine these private libraries with public libraries downloaded from public packet portals, such as npm, PyPI, NuGet or others.
As security researchers have discovered, there is a new attack technique called "addiction confusion" that attacks these mixed application development environments within large companies.
The researchers showed that if one intruder learn the names of the private libraries used in the process of creating a company applications, can register these names in public package repositories and upload public libraries of the same name, which contain malicious code.
The "dependency confusion" attack occurs when developers create their applications in corporate environments and the package manager gives priority to the (malicious) library hosted in the public repository, instead of the internal library of the same name.
The research team managed to discover this attack, in cases where large technology companies accidentally leaked the names of various internal libraries and then recorded these same libraries in package repositories such as npm, RubyGems and PyPI.
Using this method, the researchers said they successfully loaded their own code into applications used by 35 major technology companies, such as Apple, Microsoft, PayPal, Shopify, Netflix, Yelp, Uber and others.
But besides npm, RubyGems and PyPI, other package managers are also vulnerable, including JFrog, Maven Central and NuGet.
While the research team said it has informed all affected companies and package repositories, Microsoft seems to have taken the issue more seriously.
Following the release of the security team's investigations on Tuesday, the company also manages the NuGet package manager for developers . NET, issued a warning detailing the "addiction confusion" technique, which Microsoft calls a "substitution attack."
Some of the recommendations are:
- Report a private stream, not multiple
- Protect your private packages by using checkboxes in public package repositories
- Use client-side verification features such as version pinning and integrity verification