Microsoft has published a warning on Tuesday showing a new attack method that it calls a “substitution attack” or a “dependency confusion”. According to a Microsoft white paper, the technique can allow threat actors to infiltrate app development within an organization.
Many corporations develop their own applications to be used in-house amongst employees or sent out externally. Developers within organizations use package managers for handling libraries that are then put together to assemble an app.
The attack method Microsoft is discussing involves targeting app building, package managers for downloading and importing, and repositories hosting app files.
Using “dependency confusion,” threat actors can exploit private app libraries within a corporation. That's a problem because while some organization apps are non-sensitive, some of them can host very sensitive code.
Attacks can take advantage of the way many company developers package apps. A lot of apps are held in a mix of public and private libraries. If an attack can discover the name of a private library, they could register it on a public repository and upload malicious libraries to the public packages.
Microsoft says an attack would work if an internal app environment prioritizes the public library over the internal private one (both would have the same name). After security researchers told Microsoft and other major companies about the problem, Microsoft reacted quickly.
In its white paper, the company discusses the attack method and warns of the danger of the hybrid package manager configuration. Microsoft also points to several mitigations than companies can adopt to prevent an attack:
- Use controlled scopes on public packages to protect private packages.
- Hold one private feed as a reference instead of many.
- Have a client side verification in place.
Tip of the day: Learn how to write a white paper using this design guide and white paper examples from Venngage.