Hackers Can Target Mailchimp Users By Exploiting a Dependency Confusion Bug

Hackers Can Target Mailchimp Users By Exploiting a Dependency Confusion Bug

Author : Vishal Singh
Co-Authors and Contributors: Godson Bastin
Editor : Deepanjli Paulraj

BeVigil, the world’s first security search engine identified several apps leaking Mailchimp API keys. Based on these findings, CloudSEK researchers identified 2 unclaimed packages, in the Mailchimp code, that create dependency confusion. This can be leveraged to inject malicious code into Mailchimp’s code.

With ~800,000 paying customers and ~ 13 million users, Mailchimp is one of the world’s largest marketing automation platforms that enable businesses to engage with customers and audiences.

In this blog, we claim one of the unclaimed packages in Mailchimp’s code to illustrate how dependency confusion can be exploited by threat actors, and why it is a vulnerability that organizations should be vigilant about.

Dependency Confusion in Mailchimp

Dependency confusion is a software supply chain vulnerability that can be exploited to trick a software installer into calling a malicious code file from a public code repository instead of calling a file of the same name from the authorized internal repository.

Mailchimp has 2 unclaimed packages:

Mailchimp API documentation shows that the require() functions in the above packages are not configured correctly. Hence, when a user tries to install them, it leads to the attacker’s package getting installed instead. To illustrate how an attacker can accomplish this, we took over the mailchimp-marketing package.*

How Mailchimp’s Dependency Confusion can be Exploited

We installed the mailchimp-marketing package, from the Mailchimp repository, by following the instructions in the installation guide.

Install the mailchimp_marketing package
Install the mailchimp_marketing package

 

Import mailchimp_marketing
Import mailchimp_marketing

 

To import the authorized package, the following require() function has to be used: require(“@mailchimp/mailchimp_marketing”). However, the API documentation directs users to use the require() function require(“mailchimp-marketing”).

When this function is used, npmjs.org/mailchimp-marketing responds with a 404 status code. This shows that a package named mailchimp-maketing is not available in the repo. Hence, we could publish a library named mailchimp-marketing in npmjs.

We cloned the original Mailchimp repo and published a project named mailchimp-marketing, with a harmless webhook in the code. We downloaded the original mailchimp_marketing package from Github and added the webhook in the ApiClient.js file.

Whenever a user downloads this repo, which we have taken over, the webhook will be triggered and we will receive a notification.

The repo we claimed and the hosted code can be found here.

The downloads and the webhook triggered 500-1000 hits per week from MailChimp users.

Webhook added in the ApiClient.js file
Webhook added in the ApiClient.js file

 

Next, we used NPM CLI to upload this package with mailchimp-marketing as the package name.

So far we have got 72,389 hits (code used by users repeatedly) for a single package, and there another repo available for takeover.

Hits for the package
Hits for the package

 

The Unclaimed Package

The package mailchimp_transactional also returns a 404 not found message at npm, showing that it is also unclaimed. Threat actors claim this package and can host malicious code on it.

Impact

Threat actors can take over the unclaimed packages to target public Mailchimp users’ systems by:

  • Initiating Remote Code Execution
  • Installing malware
  • Implementing keyloggers and bitcoin miners
  • Launching ransomware attacks

Mitigation

Mainchimp should update both the API documentation of the unclaimed packages.

  • require(“mailchimp-marketing”) should be updated to require(“@mailchimp/mailchimp_marketing”)
  • require(“mailchimp_transactional”) should be updated to require(“@mailchimp/mailchimp_transactional”)

References

*Note: Mailchimp was notified about this but did not respond to our disclosures, or rectify the issue.

Vishal Singh
As a Vulnerability Research Engineer at CloudSEK, Vishal conducts penetration tests on client-side assets and reports discovered vulnerabilities. When he is not occupied with work, Vishal loves to surf the internet and hone his Python coding skills.
This is Alt
Lead Cyberintelligence Editor, CloudSEK
Total Posts: 3
Deepanjli is CloudSEK’s Lead Technical Content Writer and Editor. She is a pen wielding pedant with an insatiable appetite for books, Sudoku, and epistemology. She works on any and all content at CloudSEK, which includes blogs, reports, product documentation, and everything in between.
×
Vishal Singh
As a Vulnerability Research Engineer at CloudSEK, Vishal conducts penetration tests on client-side assets and reports discovered vulnerabilities. When he is not occupied with work, Vishal loves to surf the internet and hone his Python coding skills.
Latest Posts
  • Hackers Can Target Mailchimp Users By Exploiting a Dependency Confusion Bug