BC DEPENDENCYCHAINATTACK

Saved by @m4rc0v0nh4g3n

Alex Birsan
@alxbrsn 4 years, 2 months ago 558 views

Save to PDF Share See On Twitter

Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

👇Check the thread after reading for a few bonus

Scope:

Other than the mentioned .NET bug, only one other team said the finding was out of scope, using this as a reason to reduce the bounty from P1 to P2.

We've also purposely avoided reporting to at least one program that had "internal or development services" listed as OOS

Pytosquatting:

In Python, the 'install' name of a package can be different from the 'import' name. This allows for an unique type of typosquatting attack by uploading under unclaimed import names on PyPI, where it can be downloaded by developers, or even automated tools.

I tried this out against some Google open source projects and it actually got me inside two *.corp.google.com machines.

However, just like typosquatting, this mostly relies on one-off mistakes. Google did not accept it as a valid vuln, and I fully agree with their assessment.

Fun fact: those packages are long gone from PyPI but for some reason they are still up on some sort of Chinese mirror, and I still get various callbacks from China to this day.

Finally, a brief look at how each package hosting service responded after seeing the test packages:

* npm - initially deleted a few, stopped after my intentions were clarified
* PyPI - deleted all packages, made it clear that testing this is not allowed
* RubyGems - no reaction

You May Also Like

Jaya_Upadhyaya
@Jayalko1

MEENAKSHI AMMAN, MADURAI (TN)
#bharatmandir #navratri2021

A paadal Petra sthalam where Shiva took the form of Sundareswarar (the handsome one) and married Devi Parvati (Meenakshi).
Devi is also known by the name Angayarkanni (mother with the beautiful fish eyes).
@GunduHuDuGa

Devi Meenakshi emerged from yagna fire as a 3 year old girl when Pandyan King Malayadwaja and Kanchanamalai were praying for a child.
It is said that Devi was born with three breasts and there was a prophesy that her superfluous breast would melt away when she met her husband.

Devi ruled over Madurai and captured Indralok. She went on to capture Kailasha. When she saw Shiva, her 3rd breast disappeared and she realised that Shiva would be her consort.
The divine marriage was attended by all Devas and Sri Vishnu (as her brother) gave her hand to Shiva.

It is said that Indra found a swayambhu lingam at Kadamba Vanam. He placed it in Madurai where the kshetram stands. Here, Shiva is seen on the vehicle of Indra.
The Golden Lotus Tank is said to be the place where a golden lotus blossomed for the puja performed by Indra.

The Meenakshi Thirukalyanam festival is celebrated in the Chithirai month to mark the divine marriage of Meenakshi Amman. The festival includes a procession where Meenakshi and Sundareshwara travel in a chariot and Sri Vishnu gives away his sister in marriage to Shiva.

Rudy Havenstein, liste...
@RudyHavenstein

I hate when I learn something new (to me) & stunning about the Jeff Epstein network (h/t MoodyKnowsNada.)

Where to begin?

So our new Secretary of State Anthony Blinken's stepfather, Samuel Pisar, was "longtime lawyer and confidant of...Robert Maxwell," Ghislaine Maxwell's Dad.

"Pisar was one of the last people to speak to Maxwell, by phone, probably an hour before the chairman of Mirror Group Newspapers fell off his luxury yacht the Lady Ghislaine on 5 November, 1991." https://t.co/DAEgchNyTP

OK, so that's just a coincidence. Moving on, Anthony Blinken "attended the prestigious Dalton School in New York City"...wait, what? https://t.co/DnE6AvHmJg

Dalton School...Dalton School...rings a

Oh that's right.

The dad of the U.S. Attorney General under both George W. Bush & Donald Trump, William Barr, was headmaster of the Dalton School.

Donald Barr was also quite a

Donald Barr had a way with words. pic.twitter.com/JdRBwXPhJn
— Rudy Havenstein, listening to Nas all day. (@RudyHavenstein) September 17, 2020

I'm not going to even mention that Blinken's stepdad Sam Pisar's name was in Epstein's "black book."

Lots of names in that book. I mean, for example, Cuomo, Trump, Clinton, Prince Andrew, Bill Cosby, Woody Allen - all in that book, and their reputations are spotless.

Advertisement

$Anu Satheesh \U0001f1ee\U0001f1f3$

Anu Satheesh 🇮🇳...
@AnuSatheesh5

Thirumalai Murugan Kovil
#Panpoli
#TamilNaduTemples 🚩

Thirumalai Murugan Temple is located in Tenkasi district of Tamil Nadu. Muruga is worshipped as Thirumalai kumarasamy. Temple is situated near Kerala border and known to be where Shri Murugan gave darshan to Rishi Agasthiar

Devi is worshipped in the temple as Thirumalai Kaali amman

Sthala Puranam says that, there was a priest named Poovanbhattar of Thirumalai Kaali amman. Murugar appeared in a dream of the bhattar and said to find a Vigraham, lying in particular place which is of Thirumalaikumaran

Bhattar conveyed the news to the Pandalam Raja and they went to find out the vigraham. Surprisingly ants showed the way to find the Vigraham. Thus Murugan vigraham was found and Prathista was done here. There is a lake with pure water on the top of the hill

which is said to be created by Agasthiyar. It is believed that kannaki of
Chilapathikaram visited here before going to Kerala. Sapthamathrukkal also worshipped Murugan here. Kanthashashti Thiruvizha is very famous here.

Om Muruga
Muruganukku Harohara
🙏🕉🙏

Nick Kapur
@nick_kapur

A thread of images from a Japanese illustrated history of America from 1861.

Here is George Washington (with bow and arrow) pictured alongside the Goddess of America. 1/

Here is Christopher Columbus (seated at center) reporting his discovery of America to Queen Isabella of Spain.

So far, kinda normal, but wait for it.... 2/

Now it's the American Revolution. Here is George Washington defending his wife "Carol" from a British official named "Asura" (same characters as the Buddhist deity). 3/

And here is Washington's "second-in-command" John Adams battling an enormous snake. 4/

Here is Washington and his wife "Carol" meeting an extremely youthful Benjamin Franklin, who has an impressive squat. 5/

Vibhu Vashisth
@VIBHU_Tweet

🌺कैसे बने गरुड़ भगवान विष्णु के वाहन और क्यों दो भागों में फटी होती है नागों की जिह्वा🌺

महर्षि कश्यप की तेरह पत्नियां थीं।लेकिन विनता व कद्रु नामक अपनी दो पत्नियों से उन्हे विशेष लगाव था।एक दिन महर्षि आनन्दभाव में बैठे थे कि तभी वे दोनों उनके समीप आकर उनके पैर दबाने लगी।

प्रसन्न होकर महर्षि कश्यप बोले,"मुझे तुम दोनों से विशेष लगाव है, इसलिए यदि तुम्हारी कोई विशेष इच्छा हो तो मुझे बताओ। मैं उसे अवश्य पूरा करूंगा ।"

कद्रू बोली,"स्वामी! मेरी इच्छा है कि मैं हज़ार पुत्रों की मां बनूंगी।"
विनता बोली,"स्वामी! मुझे केवल एक पुत्र की मां बनना है जो इतना बलवान हो की कद्रू के हज़ार पुत्रों पर भारी पड़े।"
महर्षि बोले,"शीघ्र ही मैं यज्ञ करूंगा और यज्ञ के उपरांत तुम दोनो की इच्छाएं अवश्य पूर्ण होंगी"।

महर्षि ने यज्ञ किया,विनता व कद्रू को आशीर्वाद देकर तपस्या करने चले गए। कुछ काल पश्चात कद्रू ने हज़ार अंडों से काले सर्पों को जन्म दिया व विनता ने एक अंडे से तेजस्वी बालक को जन्म दिया जिसका नाम गरूड़ रखा।जैसे जैसे समय बीता गरुड़ बलवान होता गया और कद्रू के पुत्रों पर भारी पड़ने लगा

परिणामस्वरूप दिन प्रतिदिन कद्रू व विनता के सम्बंधों में कटुता बढ़ती गयी।एकदिन जब दोनो भ्रमण कर रहीं थी तब कद्रू ने दूर खड़े सफेद घोड़े को देख कर कहा,"बता सकती हो विनता!दूर खड़ा वो घोड़ा किस रंग का है?"
विनता बोली,"सफेद रंग का"।
तो कद्रू बोली,"शर्त लगाती हो? इसकी पूँछ तो काली है"।