Microsoft sounds the alarm over new ‘dependency confusion’ attack technique
Organizations may have to reconfigure their app development
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Microsofthas released a whitepaper outlining a newcyberattackmethod that the firm is calling, “dependency confusion” or a “substitution attack.” The approach looks to take advantage of the open ecosystem that many businesses use as part of theirapp developmentprocess, mixing public and private feeds within the same development supply chain.
When apps are being constructed, developers often use a mixture of code stored in private libraries as well as dependencies from public portals.
However, if an attacker were to learn the names of the private libraries used by corporate apps, they could register the same name on public package repositories and fill it with malicious code. Microsoft has dubbed this threat, a “substitution attack”.
“One common hybrid configuration that clients use is storing internal packages on a private feed but allowing the retrieval of dependencies from a public feed,” the Microsoft whitepaperexplains. “This ensures that the latest package releases are automatically adopted when referenced from a package that does not need to be updated. Internal developers publish their packages to this private feed, and consumers check both private and public feeds for the best available versions of the required packages. This configuration presents a supply chain risk: the substitution attack.”
Supply chain risk
Given thatbusiness appshave become increasingly important, being used fornetwork monitoring,lead generation,employee experience, and many more corporate needs, any threat to the app development supply chain could potentially have huge implications.
In order to test this attack method, independentsecurity researchersregistered code to public libraries using private package names accidentally leaked by tech firms. They found that they could upload new code to apps built by 35 major tech firms, including Shopify, Netflix, PayPal, and Microsoft itself.
Fortunately, there are several mitigation strategies that organizations can employ to reduce the likelihood of being targeted by these dependency confusion attacks. Microsoft advises that companies only reference one private feed in their app development, protect their packages using controlled scopes, and utilize client-side verification features.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
ViaZDNet
Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services. After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things.
Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics
This new phishing strategy utilizes GitHub comments to distribute malware
Arcane season 2 finally gave us the huge Caitlyn and Vi moment we’ve been waiting for – and its creators say ‘we couldn’t have done it in season one’
