A security researcher going by the name of Alex Birsan successfully ran codes on servers of 35 major tech companies.
Microsoft, Google, Apple, Tesla, PayPal, and others are some of the companies the hacker got access to.
According to the website Bleeping Computer, the cybersecurity expert made use of exploits that allowed him to run codes on the servers. The security vulnerability is termed as a novel software supply chain attack.
I feel that it is important to make it clear that every single organization targeted during this research has provided permission to have its security tested, either through public bug bounty programs or through private agreements. Please do not attempt this kind of test without authorization.
– Alex Birsan said in the report
Also Read: Vivo S9 5G Spotted on 3C Certification
Bug Bounty Rewards
Birsan is an approved security expert and is one of the bug bounty hunters in the industry. He has garnered more than $130,000 from this exploit.
The biggest bug bounty he earned came from Microsoft, who awarded him $40,000. Known as CVE-2021-24105, Microsoft has released a white paper covering the issue.
On the other hand, Paypal has paid Birsan $30,000 as the bounty amount. Apple also acknowledged the bug and said they will reward the researcher shortly.
I believe that finding new and clever ways to leak internal package names will expose even more vulnerable systems, and looking into alternate programming languages and repositories to target will reveal some additional attack surface for dependency confusion bugs.
Alex Birsan in his blog post.
Also Read: Xiaomi Mi 10i and Mi 10T: How The Two Phones Compare
The novel software chain attack involved uploading malicious code on open-source repositories. The users don’t need to do anything on their side since the code is delivered via update automatically.
This is quite alarming if we take into consideration that almost all companies make use of open-source repositories.