BC DEPENDENCYCHAINATTACK

Saved by @m4rc0v0nh4g3n

Alex Birsan
@alxbrsn 4 years, 4 months ago 585 views

Save to PDF Share See On Twitter

Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

👇Check the thread after reading for a few bonus

Scope:

Other than the mentioned .NET bug, only one other team said the finding was out of scope, using this as a reason to reduce the bounty from P1 to P2.

We've also purposely avoided reporting to at least one program that had "internal or development services" listed as OOS

Pytosquatting:

In Python, the 'install' name of a package can be different from the 'import' name. This allows for an unique type of typosquatting attack by uploading under unclaimed import names on PyPI, where it can be downloaded by developers, or even automated tools.

I tried this out against some Google open source projects and it actually got me inside two *.corp.google.com machines.

However, just like typosquatting, this mostly relies on one-off mistakes. Google did not accept it as a valid vuln, and I fully agree with their assessment.

Fun fact: those packages are long gone from PyPI but for some reason they are still up on some sort of Chinese mirror, and I still get various callbacks from China to this day.

Finally, a brief look at how each package hosting service responded after seeing the test packages:

* npm - initially deleted a few, stopped after my intentions were clarified
* PyPI - deleted all packages, made it clear that testing this is not allowed
* RubyGems - no reaction

You May Also Like

$Billy Bostickson \U0001f3f4\U0001f441&\U0001f441 \U0001f193$

Billy Bostickson 🏴👁&👁 ...
@BillyBostickson

@EricTopol @NBA @StephenKissler @yhgrad B.1.1.7 reveals clearly that SARS-CoV-2 is reverting to its original pre-outbreak condition, i.e. adapted to transgenic hACE2 mice (either Baric's BALB/c ones or others used at WIV labs during chimeric bat coronavirus experiments aimed at developing a pan betacoronavirus vaccine)

@NBA @StephenKissler @yhgrad 1. From Day 1, SARS-COV-2 was very well adapted to humans .....and transgenic hACE2 Mice

1. From Day 1, SARS-COV-2 was very well adapted to humans .....and transgenic hACE2 Mice
"we generated a mouse model expressing hACE2 by using CRISPR/Cas9 knockin technology. In comparison with wild-type C57BL/6 mice, both young & aged hACE2 mice sustained high viral loads... pic.twitter.com/j94XtSkscj
— Billy Bostickson \U0001f3f4\U0001f441&\U0001f441 \U0001f193 (@BillyBostickson) January 30, 2021

@NBA @StephenKissler @yhgrad 2. High Probability of serial passaging in Transgenic Mice expressing hACE2 in genesis of SARS-COV-2

1. High Probability of serial passaging in Transgenic Mice expressing hACE2 in genesis of SARS-COV-2!
2 papers:
Human\u2013viral molecular mimicryhttps://t.co/irfH0Zgrve
Molecular Mimicryhttps://t.co/yLQoUtfS6s https://t.co/lsCv2iMEQz
— Billy Bostickson \U0001f3f4\U0001f441&\U0001f441 \U0001f193 (@BillyBostickson) January 2, 2021

@NBA @StephenKissler @yhgrad B.1.1.7 has an unusually large number of genetic changes, ... found to date in mouse-adapted SARS-CoV2 and is also seen in ferret infections.
https://t.co/9Z4oJmkcKj

@NBA @StephenKissler @yhgrad We adapted a clinical isolate of SARS-CoV-2 by serial passaging in the ... Thus, this mouse-adapted strain and associated challenge model should be ... (B) SARS-CoV-2 genomic RNA loads in mouse lung homogenates at P0 to P6.
https://t.co/I90OOCJg7o

Matt Fuller
@MEPFuller

They’re shooting into the chamber.

Advertisement

Fidato
@tequieremos

A thread on the life and achievements of Muhiyudin Sayyid Abdul Qadir Jillani RadiAllah who served Islam infinitely as the Reviver (Mujadid) of the 11th Century!

Muhiyudin Sayyid Abdul Qadir Jilani (RA) was one of the greatest Islamic Saint, Scholar, and Jurist. The honorific Muhiyudin denotes his status with many Sufis as a "reviver of religion". Jilani refers to his place of birth. He also carried the epithet Baghdadi.

[1]

Sheikh Abdul Qadir Jilani was born on the eve of the 2nd of Ramadan 470 AH. His birth was a great blessing for the Ummah. It was the arrival of the Sultan al-Awliya (King of the Awliya) of that era, which had been foretold for centuries before his birth.

[2]

When Hazrat Abdul Qadir Jillani was asked by someone what brought him to his high spiritual level, he said, The truthfulness which I promised to my mother. He related the following story:
"One day, on the eve of Eid al-Adhā, I went to my mother, who was then a widow and..

[3]

..and requested her, 'Send me to the path of Truth, give me permission to go to Baghdad to acquire knowledge, to be with the wise and those who are close to Allah. She cried, but she brought out 80 pieces of gold, which was all that my father had left as inheritance.

[4]

Carol Forden
@CarolForden

1. The major problem most startups face is marketing and the ability to carve out a niche, find and retain paying customers.

Even with a stellar developer team and a stellar product, your startup may not grow or survive without a great marketing and sales teams.

2. Start growing your audience before you’ve a product or an idea.

You should start promoting yourself and building your audience before you have a finished product or even before you have a great idea that you want to build.

3. Don’t wait to start building your audience after you’ve launched a product.

Most first-time developers actually ignore marketing.

They’re oblivious to the challenge of attracting people to take a look at something they’ve created.

4. At least until they see their first project crash and burn within hours of the launch.

There are so many times that I have seen developers spend countless hours building something, releasing it with no fanfare...

5. and only then trying to figure out how to promote it by asking marketing questions on Indie Hackers, Quora or Hacker News. Don’t make that mistake.

Nicolas Cole
@Nicolascole77

🚢 Atomic Essays Republishing Framework 🚢

1. Write Atomic Essay
2. Post image on Twitter
3. (Bonus) Copy/paste text as thread
4. Find relevant Question on Quora. Copy/paste Atomic Essay + image.
5. Copy/paste again on Medium.
6. Again on LinkedIn
7. Win

Guide below ✍️🚢👇

Step 1: Write Atomic Essay

I really enjoy writing right inside the Figma template. It helps give me a good sense of exactly how much "real estate" I have/have left before my time us up and I'm out of space.

Once finished, I export the image and send to my phone on Slack.

Step 2: Post image on Twitter

Before I publish my Atomic Essay on Twitter, I use the Edit/Photo Markup function on the iPhone to highlight standout sentences.

These are usually power-phrases: things the reader skims and thinks, "That's interesting," prompting them to read more.

Step 3: For the Ship 30 for 30 challenge, I only turn Atomic Essays into threads if...

1. The piece is SUPER actionable and lends itself well to the thread format (lots of bullets, quick points, lists, etc.)

or...

2. I'm referencing research and want to link to the pieces.

Step 4: Find relevant Question on Quora. Copy/paste Atomic Essay + image.

Search on Quora around the topic you wrote about. Find a related Question. Copy/paste the whole Atomic Essay as your "answer" (& fix formatting). Then include image so it appears in the thumbnail.