Someone hacked into Apple, Microsoft and PayPal and they didn't even know it happened

News
By Darragh Murphy
published

'Dependency confusion' affected Netflix, Yelp, Uber and dozens more

Apple
(Image credit: Apple)

Imagine finding an exploit in the biggest supply chain companies around the world and being able to simply breach into every one of them. Well, that's what Alex Birsan did.

Don't fret, he's a security researcher who notified the companies, including Apple, Microsoft, Netflix, PayPal and more than 30 other companies, about his findings. In fact, he got bounty payments of up to $40,000 each for his efforts. Nicely done. 

The security researcher hacked into a list of supply chain companies by exploiting a vulnerability he calls 'Dependency Confusion', in which he used fake packages named like internal private packages to sneak in (a very basic explanation, mind you). Birsan's packages had no code in them, only a disclaimer stating, "this package is meant for security research purposes and does not contain any useful code" (via Bleeping Computer).

"From one-off mistakes made by developers on their own machines, to misconfigured internal or cloud-based build servers, to systemically vulnerable development pipelines, one thing was clear: squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds," said Birsan on his article on The Medium.

Apple explained that remote code execution on Apple servers would have worked with Birsan's npm package technique, paying him a nifty $30,000 as a reward. Apple fixed the bug over a span of two weeks however other companies such as Shopify fixed the issue within a day.

According to Birsan's article, he had at least been awarded $130,000 in bug bounties,  stating that “the majority of awarded bug bounties were set at the maximum amount allowed by each program’s policy, and sometimes even higher.” Bug bounties are rewards for those who find bug within their system, and it looks like Birsan hit the jackpot.

The article goes into further detail about how he breached the companies using private and public file packages that's definitely worth the read. If all this hacking has you worried, some of the best VPN services today could fix that. 

Darragh Murphy
Darragh Murphy
Editor

Darragh Murphy is fascinated by all things bizarre, which usually leads to assorted coverage varying from washing machines designed for AirPods to the mischievous world of cyberattacks. Whether it's connecting Scar from The Lion King to two-factor authentication or turning his love for gadgets into a fabricated rap battle from 8 Mile, he believes there’s always a quirky spin to be made. With a Master’s degree in Magazine Journalism from The University of Sheffield, along with short stints at Kerrang! and Exposed Magazine, Darragh started his career writing about the tech industry at Time Out Dubai and ShortList Dubai, covering everything from the latest iPhone models and Huawei laptops to massive Esports events in the Middle East. Now, he can be found proudly diving into gaming, gadgets, and letting readers know the joys of docking stations for Laptop Mag.