Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

👇Check the thread after reading for a few bonus

Scope:

Other than the mentioned .NET bug, only one other team said the finding was out of scope, using this as a reason to reduce the bounty from P1 to P2.

We've also purposely avoided reporting to at least one program that had "internal or development services" listed as OOS
Pytosquatting:

In Python, the 'install' name of a package can be different from the 'import' name. This allows for an unique type of typosquatting attack by uploading under unclaimed import names on PyPI, where it can be downloaded by developers, or even automated tools.
I tried this out against some Google open source projects and it actually got me inside two *.corp.google.com machines.

However, just like typosquatting, this mostly relies on one-off mistakes. Google did not accept it as a valid vuln, and I fully agree with their assessment.
Fun fact: those packages are long gone from PyPI but for some reason they are still up on some sort of Chinese mirror, and I still get various callbacks from China to this day.
Finally, a brief look at how each package hosting service responded after seeing the test packages:

* npm - initially deleted a few, stopped after my intentions were clarified
* PyPI - deleted all packages, made it clear that testing this is not allowed
* RubyGems - no reaction

You May Also Like

@EricTopol @NBA @StephenKissler @yhgrad B.1.1.7 reveals clearly that SARS-CoV-2 is reverting to its original pre-outbreak condition, i.e. adapted to transgenic hACE2 mice (either Baric's BALB/c ones or others used at WIV labs during chimeric bat coronavirus experiments aimed at developing a pan betacoronavirus vaccine)

@NBA @StephenKissler @yhgrad 1. From Day 1, SARS-COV-2 was very well adapted to humans .....and transgenic hACE2 Mice


@NBA @StephenKissler @yhgrad 2. High Probability of serial passaging in Transgenic Mice expressing hACE2 in genesis of SARS-COV-2


@NBA @StephenKissler @yhgrad B.1.1.7 has an unusually large number of genetic changes, ... found to date in mouse-adapted SARS-CoV2 and is also seen in ferret infections.
https://t.co/9Z4oJmkcKj


@NBA @StephenKissler @yhgrad We adapted a clinical isolate of SARS-CoV-2 by serial passaging in the ... Thus, this mouse-adapted strain and associated challenge model should be ... (B) SARS-CoV-2 genomic RNA loads in mouse lung homogenates at P0 to P6.
https://t.co/I90OOCJg7o