How a project that was closed 5 years ago almost led to a disaster for the supply chain.
Recently, security researchers identified a new Dependency Confusion vulnerability affecting an archived Apache project called Cordova App Harness.
Thanks to the vulnerability, attackers can force the package manager to download a fraudulent package from a public repository instead of the expected private one, which can have serious consequences for the supply chain, including infecting all customers who install this package.
An analysis conducted last May by security firm Orca found that almost 49% of organizations are affected by Dependency Confusion attacks.
Despite the fact that developers of npm and other package managers have introduced measures to prioritize private versions, Legit Security found that the Cordova App Harness project refers to an internal dependency without specifying the relative file path, which makes it vulnerable.
The Apache Software Foundation stopped supporting the project on April 18, 2019, but as the researchers found out, the door to attacks through the supply chain remained open. A fraudulent version of the package uploaded to npm attracted more than 100 downloads, indicating that the project is still being used by real developers. This poses serious risks to the entire software supply chain.
The Apache security team took control of the cordova-harness-client package to prevent further attacks, so we can say that this time it was safe.
Experts note that organizations are always encouraged to create public stub packages for such cases in order to prevent attacks that exploit "dependency confusion".
As noted by security researcher Ofek Haviv, this discovery highlights the need to consider third-party projects and dependencies as potential vulnerabilities in the software development process, especially with regard to archived open projects that may not receive regular updates or security patches.
Recently, security researchers identified a new Dependency Confusion vulnerability affecting an archived Apache project called Cordova App Harness.
Thanks to the vulnerability, attackers can force the package manager to download a fraudulent package from a public repository instead of the expected private one, which can have serious consequences for the supply chain, including infecting all customers who install this package.
An analysis conducted last May by security firm Orca found that almost 49% of organizations are affected by Dependency Confusion attacks.
Despite the fact that developers of npm and other package managers have introduced measures to prioritize private versions, Legit Security found that the Cordova App Harness project refers to an internal dependency without specifying the relative file path, which makes it vulnerable.
The Apache Software Foundation stopped supporting the project on April 18, 2019, but as the researchers found out, the door to attacks through the supply chain remained open. A fraudulent version of the package uploaded to npm attracted more than 100 downloads, indicating that the project is still being used by real developers. This poses serious risks to the entire software supply chain.
The Apache security team took control of the cordova-harness-client package to prevent further attacks, so we can say that this time it was safe.
Experts note that organizations are always encouraged to create public stub packages for such cases in order to prevent attacks that exploit "dependency confusion".
As noted by security researcher Ofek Haviv, this discovery highlights the need to consider third-party projects and dependencies as potential vulnerabilities in the software development process, especially with regard to archived open projects that may not receive regular updates or security patches.
