Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

👇Check the thread after reading for a few bonus

Scope:

Other than the mentioned .NET bug, only one other team said the finding was out of scope, using this as a reason to reduce the bounty from P1 to P2.

We've also purposely avoided reporting to at least one program that had "internal or development services" listed as OOS

Pytosquatting:

In Python, the 'install' name of a package can be different from the 'import' name. This allows for an unique type of typosquatting attack by uploading under unclaimed import names on PyPI, where it can be downloaded by developers, or even automated tools.

I tried this out against some Google open source projects and it actually got me inside two *.corp.google.com machines.

However, just like typosquatting, this mostly relies on one-off mistakes. Google did not accept it as a valid vuln, and I fully agree with their assessment.

Fun fact: those packages are long gone from PyPI but for some reason they are still up on some sort of Chinese mirror, and I still get various callbacks from China to this day.