This Hacker Successfully Broke And Found A Security Gap On Apple, Microsoft To Netflix Sites

JAKARTA - It seems that the sites of giant technology companies are not immune from hacking. To prove that, Alex Birsan was able to break into dozens of websites of well-known technology companies such as Microsoft, Apple, Netflix, Tesla, PayPal, Uber, and so on.

Birsan is a security researcher. In order to break into these big companies, Birsan uploaded numerous malware to the Python Package Index, RubyGems, and npm storage space. All of these services are open source.

Then the malware was spread to break into the company's internal servers. The hacking mechanism applied by Birsan is quite sophisticated. The malware distributed by Birsan is able to trick the security system automatically, without any interference from the sender.

The existence of a design flaw in the open-source service is Birsan's entry point for hacking. Birsan calls this gap a dependency confusion. He admitted that his actions were not based on a malicious purpose.

Cited from Bleeping Computer, Birsan's action was solely to report a leaky security system to the technology giant companies. With this good intention, Birsan received a prize worth USD 130 thousand (equivalent to IDR 1.8 billion).

Birsan began hacking various technology companies since 2020. At that time, he was aware of the absence of a number of manifest files that were open to the public in the PayPal npm package. Apparently, the company kept it for their own.

Realizing this, Birsan wondered if he could use the renamed fake package. He plans to host publicly so that it can infect the server. Then Birsan tried to find a number of internal package files belonging to the company on the CDN and on GitHub.

The next step, Birsan designed his own package using a name similar to the internal package file name. After that Birsan distributed the packages he made to npm, RubyGems, and PayPal.

"This package is intended for security research purposes, and does not contain any malicious code", Birsan said explaining the hack's intent.