Microsoft has once again been successfully hit by a dependency hijacking attack. Previously, a researcher had ethically hacked over 35 major tech firms, including Microsoft, by exploiting a weakness called “dependency confusion.” This month, another researcher found an npm internal dependency being used by an open-source project. Last week, researcher Ricardo Iramar dos Santos was auditing an open-source package SymphonyElectron for bugs, which is when he came across a mysterious dependency used by the package. This dependency was called “swift-search,” but this package wasn’t present on the public npmjs.com registry. On realizing this, dos Santos registered a package by the same name on the npm registry. Former articles on dependency confusion explain that the term represents an inherent weakness in various open-source repository managers when it comes to retrieving dependencies specified for a software package. Should a project be using a private, internally created dependency and a dependency by the same name also exists on a public repository, this would create “confusion” for the development tools as to which dependency is being referred to. As such, the public dependency with the same name would get pulled into the development environment instead of the intended, private dependency. “Dependency confusion” or hijacking attacks, therefore, allow attackers to inject their malicious code into an internal application in an automated supply-chain attack. Within hours of publishing the package to the npm registry, the researcher noticed receiving ping-backs from Microsoft’s servers. This further confirmed the researcher’s suspicions that a Microsoft server had been successfully hit by his dependency hijacking attack, and the researcher contacted Microsoft. Some of the data returned from Microsoft’s server included system username, paths to application development environments, various IDs, etc.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is