Supply chain attacks or attacks on open-source software are spreading like no other disease. It includes examples like Dependency confusion, log4j, JS packages attacks, Gem attacks on ruby, and A LOT of examples. In this briefing, we will focus on a specific aspect of Supply-Chain Attacks: the vulnerability of JS packages to account takeover when the email address of the package maintainer expires. This may sound less impactful, but the reality is far from it. Just one package could be used by hundreds of thousands of applications, and the impact of such an attack would be devastating. We will demonstrate how an innocent JS package can become a disaster, and how a registry account takeover can evade detection even by security tools such as Dependabot, SAST, and DAST. We have conducted extensive research on this issue, scanning the internet for widely-used JS packages and collecting over 2.1 million packages with millions of downloads. We extracted the email addresses of these packages and scanned the domains to identify expired ones. Scanning 2.1 Million JS packages to find the account take overable vulnerable packages and then identifying the download numbers for the vulnerable ones to make a point of impact of this vulnerability. We will be presenting our own scripted tools and usage possibilities in this talk as well to prevent widespread.
"Highly experienced Security Researcher with a proven track record of internet-wide scanning and Penetration Testing. A sought-after speaker, Hassan recently presented at the BlackHatMEA 2022 conference. His expertise extends to Ruby security, where he has conducted extensive research over the past few years. As a certified OSCP (Offensive Security Certified Professional), Hassan has also made a name for himself as a successful bug bounty hunter on both HackerOne and Bugcrowd.
Hassan's achievements have earned him recognition in the industry, including inclusion in the Google Security Hall of Fame (2017), Twitter Security Hall of Fame (2017), and Microsoft Security Hall of Fame (2017). He has also conducted extensive research into WordPress security and won the HackFest CTF competition.
In addition to his research, Hassan is also the developer of GemScanner.py and an npm scanner for account hijacking, further demonstrating his commitment to the security field and his skills as a developer."