Security News > 2021 > June > Microsoft successfully hit by dependency hijacking again

Microsoft successfully hit by dependency hijacking again
2021-06-29 07:40

Microsoft has once again been successfully hit by a dependency hijacking attack.

After publishing a public dependency by the same name, he began receiving messages from Microsoft's Halo game dev servers.

BleepingComputer's former articles on dependency confusion explain that the term represents an inherent weakness in various open-source repository managers when it comes to retrieving dependencies specified for a software package.

Should a project be using a private, internally created dependency and a dependency by the same name also exists on a public repository, this would create "Confusion" for the development tools as to which dependency is being referred to.

The public dependency with the same name would get pulled into the development environment instead of the intended, private dependency.

This further confirmed the researcher's suspicions that a Microsoft server had been successfully hit by his dependency hijacking attack, and the researcher contacted Microsoft.


News URL

https://www.bleepingcomputer.com/news/security/microsoft-successfully-hit-by-dependency-hijacking-again/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 473 68 2214 4928 253 7463