Continuing from some past posts regarding how developers could be targeted due to their roles playing a significant part in an organisation, this time we’ll be talking about Typosquatting and inclusion of libraries has a whole. 

 

What is Typosquatting?

This technique entails taking something that is well-known such a domain name or a package, then re-creating it with a similar name. For example, using google.co.uk for instance, a user could easily spell the word with additional ‘o’s by mistake. This could be mistyped as gooogle.co.uk. If this domain is available, a malicious user could purchase this and use this to create a phishing site to attract victims. 

 

However, we are talking about developers here, so how this could happen to them? Developers use a range of libraries when creating a product, but what if the developer makes a typo which leads to a different library being included than the one intended?

 

For this we’ll use PyPi. The Python Programming Language index. There is a commonly used library called ‘requests’, which is used to make HTTP requests. If this was impersonated by using ‘request’ (removing the ‘s’) for instance, and the developer made this typo and doesn’t realise the error, this would then be included into their code. 

 

From here, this impersonate library would generally act like the legitimate “requests” library but have extra functionality. An example of this can be found here where two malicious packages were removed from PyPI.   

 

Using any libraries in general has its risks due to not knowing what the code does. However, given the time needed to generally developer a product, but also developing their own libraries due to this risk can be challenging. On one hand, if you’ve developed something yourself, the risk will be removed. However, using third party libraries will be easier, but the risk will be there.

 

Using well-known libraries could be considered a lower risk than some random libraries that are available, however, there should always be verifications carried out on the libraries that are included before using them.

Join us in a partnership founded in research, education and execution

Our success is built on protecting our clients’ success. We have a distinguished track record of supporting our clients in building secure by design environments. Our consultants have successfully ushered in new security practices in leading pharmaceutical, energy and retail institutions. Bramfitt has over 50 specialists around the world and we are committed to forging long-term relationships with our clients, providing them with genuine insight and practical advice, and supporting them as they navigate the everchanging security landscape.

Let us be your partner for the next phase of your security journey.

EMEA Headquarters
Tower 42, 25 Old Broad Street London, EC2N 1HN
+44 (0) 208 187 4234
AMER Headquarters
45 Rockefeller Plaza, 20th Floor New York, NY 10111
+1 (800) 468-6046
APAC Headquarters
96 Wanneroo Rd, Yokine WA 6060, Australia
Social
iasme consortium
iasme consortium
cyber essentials
cyber essentials plus
iot security assured
pentest
ukas iso 9001ukas iso 27001
Back to top
Get in touch