Numerous Android and Java apps leveraging abandoned open-source libraries, including all technologies based on Apache Maven, could be compromised through the novel MavenGate software supply chain attack technique, reports The Hacker News.
Threat actors could leverage MavenGate method to facilitate dependency artifact takeovers and malicious code injections, as well as build process compromise without being detected, a report from Oversecured revealed.
"An attacker can gain access to a vulnerable groupId by asserting their rights to it via a DNS TXT record in a repository where no account managing the vulnerable groupId exists. If a groupId is already registered with the repository, an attacker can attempt to gain access to that groupId by contacting the repository's support team," said researchers.
Such findings should prompt more accountability for developers, researchers said.
"Library developers should be responsible for the dependencies they declare and also write public key hashes for their dependencies, while the end developer should be responsible only for their direct dependencies," added researchers.
Application security, DevSecOps
Android, Java apps susceptible to novel MavenGate software supply chain attack technique
Share
An In-Depth Guide to Application Security
Get essential knowledge and practical strategies to fortify your applications.
Related Events
Related Terms
AppletBannerBrowserCache CrammingCommon Gateway Interface (CGI)ClientCookieDLL InjectionDynamic Link LibraryFuzzingGet daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds