Investigators uncovered a notable software supply chain weakness, leading to an impressive $50,500 reward from a prominent corporation’s bug bounty initiative.
The pair’s triumph underscores the increasing significance of ensuring the security of the software supply chain and the dangers posed by disregarded assets during corporate takeovers.
The Objective: A Recently Acquired Subordinate
A duo of ethical hackers, known by the aliases Snorlhax and their partner, initiated their process by pinpointing a subsidiary that had been acquired recently by their target organization.
They conjectured that such acquisitions often fall behind in conforming to the stringent security protocols of the parent company.
By concentrating on this subsidiary, their intention was to unveil vulnerabilities that might have been ignored during the integration process.
Their reconnaissance efforts encompassed examining corporate announcements, perusing LinkedIn profiles, and scrutinizing technical artifacts like JavaScript files.
By utilizing tools such as Abstract Syntax Trees (ASTs) via the SWC (Speedy Web Compiler) library, they scrutinized JavaScript dependencies to pinpoint references to private package namespaces.
This exploration led them to an npm organization linked to the subsidiary, giving an indication of private package utilization.
After an unsuccessful attempt to locate direct disclosures on GitHub, the researchers shifted their focus to DockerHub. They stumbled upon a Docker image associated with one of the main products of the subsidiary.
Upon downloading and inspecting the image, they struck valuable information: it contained proprietary backend source code and a visible .git folder.
Within the .git/config file, they discovered an encoded GitHub Actions token (GHS).
This token, typically employed for CI/CD workflows, was inadvertently left vulnerable in the Docker image. Such tokens can empower malevolent entities to manipulate source code repositories or CI/CD pipelines if exploited before expiry.
Exploiting Docker Layers
The investigators observed that the Dockerfile utilized to construct the image featured an .npmrc file containing an npm token but eliminated it in a subsequent build step.
Utilizing tools like dive and dlayer, which permit the examination of Docker image layers, they retrieved previous layers where the .npmrc file and its token remained present.
This npm token conferred read and write access to private packages under the subsidiary’s namespace.
The researchers realized that they could insert malevolent code into these packages, which would subsequently be automatically retrieved by developers’ environments, CI/CD pipelines, or even production servers.
The Possible Ramifications
- Malevolent packages could harvest credentials or transition into other systems.
- Compromised pipelines could unveil sensitive environment variables or escalate privileges.
- Automated deployment processes could disseminate the malevolent code into live environments.
This cascading effect showcased how a single oversight in handling build artifacts could jeopardize an entire software lifecycle.
The company labeled this vulnerability as a worst-case scenario due to its potential ramifications across the development-to-production environments.
The severity of the situation was reflected in the $50,500 bounty. For Snorlhax and their partner, this breakthrough marked the culmination of years of refining their expertise and endorsed their distinctive methodology of combining underestimated attack surfaces—acquisitions and supply chains.
For cybersecurity professionals worldwide, this instance serves as both a cautionary tale and a source of motivation: frequently, the most critical flaws are concealed in unexpected locations, such as Docker images or neglected .git folders.
The post Researchers Hacked into Software Supply Chain and Earned $50K Bounty appeared first on Cyber Security News.