Old and busted: Targeting servers and web bugs. New hotness: Pwning devs with targeted poisoned stacks

'Most developers are highly intelligent, but also highly stupid'


Hard-working but naive developers are a little known but highly dangerous soft spot in an organisation that attackers can exploit.

This is according to Rich Jones, co-founder of security consultancy Gun.io. Speaking at the 2020 Disclosure conference, Jones outlined how the trust many developers put in their software stacks and shared code, paired with a disturbing lack of online savvy, can make them easy pickings for hackers.

"Systems are generally hardened - they have patches, they have firewalls, they have monitoring," Jones explained, "but [some] developers will run literally any bullshit they find on Stack Overflow. They keep credentials lying about, they're obviously going to have the source code and some production data sitting on their hardware as well."

As one example of the tactic, Jones pointed to the July attack at Twitter in which employees were spear-phished, leading to the takeover of 130 celebrity accounts.

"This was not a hack of the Twitter production system: this was a hack of Twitter employees using classic social engineering tricks," he noted. "This is pretty powerful stuff, it's practical, and you can cause serious damage with it."

So how exactly would an aggressor go about attacking a specific developer?

Jones said much of it is down to exploiting the trust developers put into shared code and software stacks. By selecting a developer and studying their projects, an attacker would be able to map out the software stack being used.

From there, the attacker would pick out a weak spot in that stack – say, a dependency or GitHub project – and slip poisoned code in. This could be as simple as slipping attack code into StackOverflow.

Because so many developers will pull, copy, and share their open source code without a second thought, they will happily exploit their own machines. Jones said this is even the case when the dev's computer tries to warn them that something bad is going to happen.

Much of this, he said, is due to learned behavior rather than ignorance. After years of sharing code and tips with other developers and seeing their peers ignoring warnings while working on projects, many coders have unlearned some of the basic rules other users follow.

"Most developers consider themselves to be moderately intelligent but not stupid," mused Jones. "I have found most developers are highly intelligent, but also highly stupid."

The problem is amplified by the fact that developers are also extremely high-value targets. In addition to their own code, many devs will have things like security keys or admin access to other networked devices. This can open the door to everything from server takeovers to DNS rebinding or man-in-the-middle attacks.

"Developers have all the juicy bits of production systems sitting around on their laptops," said Jones. "And that will give you the foothold you need to completely take over their organization."

The solution, it seems, is for developers to re-learn some best practices. Jones advised basic steps for devs such as not storing production code on their local machine, scrutinizing the projects they use in their software stacks, not oversharing information about their projects on social media, and, er, actually paying attention to warning messages. ®


Keep Reading

Microsoft emits 112 security hole fixes – including the cure for a Google-disclosed kernel vuln exploited in the wild

Patch Tuesday Android, Adobe, SAP, Red Hat join the bug-busting party

Google yanks Apple Silicon Chrome port after browser is found to 'crash unexpectedly'

Updated You'll have to run x64 version through the Rosetta emulation layer, or give it access to the Mac Bluetooth radio

Not one to be outdone by Microsoft, Apple's cloud fell over too. Unlike Microsoft, it hasn't said what happened

Apple TV, iCloud Mail, iWork for iCloud, App Store and more go TITSUP*

Google Firebase Cloud Messaging offers spam tier for some – no account required, just knowledge of bad security

All that's necessary is willingness to abuse server keys exposed in apps and some technical know-how

Microsoft unveils a Universal version of Office for Apple silicon

Seeking something perpetual for Windows on Arm? You can make do with a 32-bit Intel emulation

When you see PWA, Microsoft and Google want you to think Programs With Attitude: Web app release tool tweaked

More native applications we smoke, yo, our rep gets bigger

Sure is wild that Apple, Google app store monopolies are way worse than what Windows got up to, sniffs Microsoft prez

Analysis 'Far more formidable gates to access to other applications than anything that existed in the industry 20 years ago'

Microsoft will adopt Google Chrome's controversial Manifest V3 in Edge

Thought Microsoft would resist Google's ad-friendly tweaks to the browser extension API? Think again

Biting the hand that feeds IT © 1998–2020