Two cybersecurity researchers recently pocketed a hefty sum of $50,500 as a bug bounty reward for discovering a critical vulnerability within a major company’s supply chain. This exploit targeted a company that had recently been acquired, shedding light on the security risks associated with business acquisitions.
The researchers, Lupin (Roni Carta) and Snorlhax, who have a track record of collaborating on cybersecurity projects, decided to focus their attention on the often-overlooked area of business acquisitions. They observed that these integrations often introduce security vulnerabilities, as the newly acquired entities may not always adhere to the same level of strict security standards as their parent companies. Armed with this insight, the researchers set out on a mission to uncover a “game-changing” vulnerability.
Their methodology involved conducting a thorough examination of the acquired company’s online presence, including its code repositories and package registries. Leveraging advanced techniques such as transforming JavaScript files into Abstract Syntax Trees (ASTs) and Docker image analysis, the researchers were able to identify dependencies and potential flaws within the system. This meticulous investigation eventually led them to a DockerHub organization associated with the acquisition.
The breakthrough moment arrived when the researchers downloaded and delved into a Docker image, where they stumbled upon the complete source code for the company’s backend systems. However, the revelation did not end there, as the researchers unearthed even more sensitive information.
As detailed in Lupin’s technical blog post, the duo discovered a “.git” folder within the image, containing an authorization token for GitHub Actions (GHS). Exploiting this token could have granted an attacker the ability to manipulate the company’s build pipelines, inject malicious code, tamper with software releases, or gain access to additional repositories.
Further exploration unveiled that while the Docker image had removed the .npmrc configuration file, remnants of it could still exist in earlier layers of the image. By utilizing tools like Dive and Dlayer, the researchers uncovered a private npm token that provided read-and-write access to the target company’s private packages.
With this newfound knowledge, the researchers identified a pathway to insert malicious code into one of the private packages, which would then be automatically fetched by the company’s developers, pipelines, and production systems. Since these were private packages, the attack would evade security scans, allowing the attackers to compromise systems at various levels, potentially leading to large-scale data theft and breaches.
The incident served as a stark reminder of the prevalent software supply chain vulnerabilities that have plagued numerous businesses in recent months. Cyberattacks targeting companies like Snowflake Inc., Blue Yonder, and MOVEit Transfer continue to exploit these vulnerabilities, posing a significant threat to organizations worldwide.
Fortunately, the duo meticulously documented their findings and demonstrated the impact of the vulnerability to the affected company’s security team. Recognizing the severity of the flaw, the company awarded the researchers a bug bounty of $50,500 in acknowledgment of their efforts.
This case underscores the critical need to address overlooked flaws that can converge to create successful attack vectors. In this instance, the vulnerability stemmed from software supply chain gaps and security vulnerabilities within a recently acquired company. It emphasizes the importance of securing every aspect of the build process, from the code itself to the components and external packages involved. Safeguarding a software development pipeline demands meticulous attention to detail to mitigate potential risks effectively.
In conclusion, the researchers’ discovery and subsequent bug bounty reward serve as a testament to the ongoing battle against cybersecurity threats, highlighting the importance of vigilance and proactive measures in safeguarding organizations from potential breaches and attacks.