.png)
6 months ago
34 BOOK THIS SPACE FOR AD
ARTICLE AD
Hey there 👋🏻
I am Naveen Kumawat also known as @nvk0x, a security researcher and bug bounty hunter. In this writeup, I’m excited to share my discovery of a Remote Code Execution (RCE) vulnerability via a Dependency Confusion attack at Twilio, which earned me a $5000 bounty.
##What is Dependency Confusion?
Dependency confusion, also known as a substitution attack, occurs when an attacker injects malicious code into a software project by exploiting the way package managers resolve dependencies. Most software projects use package managers like npm (Node.js), pip (Python), or gem (Ruby) to manage external libraries. These package managers typically fetch packages from public repositories unless explicitly configured to use a private internal repository.
If a package manager searches for a package that doesn’t exist in the internal repository, it defaults to the public repository. An attacker can exploit this by publishing a malicious package with the same name as an internal package but with a higher version number, causing the package manager to fetch and install the malicious version.
The discovery began with a focused investigation into the repositories of Twilio, As mentioned in program policy “any host or web property verified to be owned by Twilio” is in scope.
To streamline the process, I made a custom script specifically designed for source code review. This script automates the cloning of repositories and scans for sensitive information and vulnerable dependencies. My script took all of Twilio’s GitHub repositories as input, cloned each repository and analyzed the source code to identify any potential security issues.
Upon running the script across Twilio’s GitHub repositories, three unclaimed npm dependencies stood out. I manually confirmed on npm public repository, For POC, I published these packages on my npm account, embedding JavaScript malicious code within them.
With the proof of concept (PoC) ready, I quickly reported my two findings to Twilio’s bug bounty program on Bugcrowd. They accepted the reports as critical severity issues and as a token of appreciation Twilio awarded me a $2500 bounty for each of the two reported vulnerabilities, totaling a $5000 reward.
This discovery highlights the importance of securing the software supply chain and being vigilant about potential dependency confusion attacks. Automated tools, combined with manual verification, play a crucial role in uncovering such vulnerabilities. I hope this writeup encourages other security researchers to explore similar avenues and contribute to making software ecosystems more secure.
Follow me:
Bengali (Bangladesh) · 
English (United States) ·