BC DEPENDENCYCHAINATTACK

Saved by @m4rc0v0nh4g3n

Alex Birsan
@alxbrsn 4 years, 4 months ago 582 views

Save to PDF Share See On Twitter

Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

👇Check the thread after reading for a few bonus

Scope:

Other than the mentioned .NET bug, only one other team said the finding was out of scope, using this as a reason to reduce the bounty from P1 to P2.

We've also purposely avoided reporting to at least one program that had "internal or development services" listed as OOS

Pytosquatting:

In Python, the 'install' name of a package can be different from the 'import' name. This allows for an unique type of typosquatting attack by uploading under unclaimed import names on PyPI, where it can be downloaded by developers, or even automated tools.

I tried this out against some Google open source projects and it actually got me inside two *.corp.google.com machines.

However, just like typosquatting, this mostly relies on one-off mistakes. Google did not accept it as a valid vuln, and I fully agree with their assessment.

Fun fact: those packages are long gone from PyPI but for some reason they are still up on some sort of Chinese mirror, and I still get various callbacks from China to this day.

Finally, a brief look at how each package hosting service responded after seeing the test packages:

* npm - initially deleted a few, stopped after my intentions were clarified
* PyPI - deleted all packages, made it clear that testing this is not allowed
* RubyGems - no reaction

You May Also Like

Loren Brichter
@lorenb

So it turns out that Google Chrome was making everything on my computer slow *even when it wasn’t running*, because it installs something called Keystone which is basically malware.

I made a website because this shouldn’t

Wired first reported on how bad Keystone was 11 years ago when they put it into Google Earth (they seem to put it in all their popular

The fact that Keystone hides itself in Activity Monitor is bizarre. (The only sign of it was excessive CPU usage of WindowServer which is a system process).

I don’t know if Google was doing something nefarious with Keystone, or a third party figured out how to (which Wired warned about). But either way, I’m not inclined to give Google-the-organization the benefit of the doubt (despite the many good people who work on Chrome)...

...since it's been a decade+ and this still hasn't been "fixed".

There is no reason for auto-update software to need to do what Chrome/Keystone was doing. It also has a long history of crashing Macs.

Jaya_Upadhyaya
@Jayalko1

SRI VARAHA NARSIMHA, SIMHACHALAM, VIZAG (AP)
#bharatmandir

One of the 32 Narsimha Kshetram of Andhra. It has a unique form of Narsimha, appearing like a shivlingam

It is said that Narsimha’s fierce nature is soothed by worshipping him with Varaha, considered a peaceful deity

The shrine is believed to have been constructed by Prahlada. With time, it crumbled.
In Treta yuga, King Pururava was passing from here in his vimana. The vimana was attracted to this place by a mystic power.
When the place was unearthed, the deity was found.
@GunduHuDuGa

Pururava’s wife, Urvashi, had a dream that the deity should remain covered in sandalwood paste for the whole year except on Akshaya Tritiya.
This practice has continued till date.
The mukhya mandap here, has a pillar kappam stambham believed to possess curative powers.

Chandanotsava/ Chandan Yatra is the most important festival celebrated on Akshaya Tritiya. The sandalwood paste is removed from the moolavar deity and nijarupa darshan (original form of deity) for twelve hours of the day are done by devotees.

Advertisement

Mystery Grove Publishi...
@MysteryGrove

By popular demand, here is the official Mystery Grove Film Recommendations list. Watch all of these in order if you want to truly understand the world we live in today.

$Anu Satheesh \U0001f1ee\U0001f1f3$

Anu Satheesh 🇮🇳...
@AnuSatheesh5

Cherthala Karthyayani Kshetram
#Alappuzha, Kerala
#KeralaTemples 🚩

Cherthala Karthyayani Temple Prathishta was done by Vilwamangalam Swamy. Chertala Pooram is very famous. Devi is Mangalya Dayini here removes obstacles relating to marriages. Sthala Puranam says that, once 👇

Vilwamangalam Swamiyar was passing this area after Prathista of Padmananbhaswamy Temple, he felt Devi chaitanyam and recognized as Karthyayani Devi. But Devi seeing Vilwamangalam went inside the pond. Swamy searched for Devi continously for 6 days and on 7th day Vilwamangalam

got hold of Devi's hair. Thus only Devi's head is Prathishta here. Devotees do Kozhi parathal ( offering cock) here as an offering to Karthyayani Devi.

Karthyayaniamme Sharanam
🙏🕉🙏

Janmajit Sinha
@Impregnable007

#Thread - 1/21

A story of a brave woman who let her "breast" cut to protect the life of Netaji Subhash Chandra Bose!

Neera Arya was born on March 5 1902 in Khekra Nagar, Uttar Pradesh in a distinguished & eminent businessman Seth Chhajumal's family. Since her childhood,

2/21
She was a true nationalist & always had a vision of becoming a part of the freedom fighter movement. She was also reportedly accused as an undercover by the British Govt.

That was the time when her father's business was flourishing in Calcutta, though his business was..

3/21
spread across the country but Calcutta was the center of his business and that was one of the reasons why her education was done in Calcutta. During that period of time, she had learned quite a few languages along with Bengali, Hindi, English.

4/21
Her father got her married to a CID Inspector "Shrikant Jairanjan Das" in British India but they were two different individuals, Neera Arya was a true nationalist but her husband was a true British servant. She was highly motivated & she had an urge of getting us freedom..

5/21
so she ended up joining the Jhansi Regiment in Azad Hind Fauz after the marriage. It was the regiment that the British always accused them of spying on British Govt.

It was the time when Neera's husband Jairanjan Das was given the responsibility to spy on Netaji Subhash..