Typosquatting

Typosquatting blog graphic

Typosquatting

Continuing from some past posts regarding how developers could be targeted due to their roles playing a significant part in an organisation, this time we’ll be talking about Typosquatting and inclusion of libraries has a whole. 

 

What is Typosquatting?

This technique entails taking something that is well-known such a domain name or a package, then re-creating it with a similar name. For example, using google.co.uk for instance, a user could easily spell the word with additional ‘o’s by mistake. This could be mistyped as gooogle.co.uk. If this domain is available, a malicious user could purchase this and use this to create a phishing site to attract victims. 

 

However, we are talking about developers here, so how this could happen to them? Developers use a range of libraries when creating a product, but what if the developer makes a typo which leads to a different library being included than the one intended?

 

For this we’ll use PyPi. The Python Programming Language index. There is a commonly used library called ‘requests’, which is used to make HTTP requests. If this was impersonated by using ‘request’ (removing the ‘s’) for instance, and the developer made this typo and doesn’t realise the error, this would then be included into their code. 

 

From here, this impersonate library would generally act like the legitimate “requests” library but have extra functionality. An example of this can be found here where two malicious packages were removed from PyPI.   

 

Using any libraries in general has its risks due to not knowing what the code does. However, given the time needed to generally developer a product, but also developing their own libraries due to this risk can be challenging. On one hand, if you’ve developed something yourself, the risk will be removed. However, using third party libraries will be easier, but the risk will be there.

 

Using well-known libraries could be considered a lower risk than some random libraries that are available, however, there should always be verifications carried out on the libraries that are included before using them.