Author : Vishal Singh
Co-Authors and Contributors: Godson Bastin
Editor : Deepanjli Paulraj
BeVigil, the world’s first security search engine identified several apps leaking Mailchimp API keys. Based on these findings, CloudSEK researchers identified 2 unclaimed packages, in the Mailchimp code, that create dependency confusion. This can be leveraged to inject malicious code into Mailchimp’s code.
With ~800,000 paying customers and ~ 13 million users, Mailchimp is one of the world’s largest marketing automation platforms that enable businesses to engage with customers and audiences.
In this blog, we claim one of the unclaimed packages in Mailchimp’s code to illustrate how dependency confusion can be exploited by threat actors, and why it is a vulnerability that organizations should be vigilant about.
Dependency Confusion in Mailchimp
Dependency confusion is a software supply chain vulnerability that can be exploited to trick a software installer into calling a malicious code file from a public code repository instead of calling a file of the same name from the authorized internal repository.
Mailchimp has 2 unclaimed packages:
Mailchimp API documentation shows that the require() functions in the above packages are not configured correctly. Hence, when a user tries to install them, it leads to the attacker’s package getting installed instead. To illustrate how an attacker can accomplish this, we took over the mailchimp-marketing package.*
How Mailchimp’s Dependency Confusion can be Exploited
We installed the mailchimp-marketing package, from the Mailchimp repository, by following the instructions in the installation guide.
To import the authorized package, the following require() function has to be used: require(“@mailchimp/mailchimp_marketing”). However, the API documentation directs users to use the require() function require(“mailchimp-marketing”).
When this function is used, npmjs.org/mailchimp-marketing responds with a 404 status code. This shows that a package named mailchimp-maketing is not available in the repo. Hence, we could publish a library named mailchimp-marketing in npmjs.
We cloned the original Mailchimp repo and published a project named mailchimp-marketing, with a harmless webhook in the code. We downloaded the original mailchimp_marketing package from Github and added the webhook in the ApiClient.js file.
Whenever a user downloads this repo, which we have taken over, the webhook will be triggered and we will receive a notification.
The repo we claimed and the hosted code can be found here.
The downloads and the webhook triggered 500-1000 hits per week from MailChimp users.
Next, we used NPM CLI to upload this package with mailchimp-marketing as the package name.
So far we have got 72,389 hits (code used by users repeatedly) for a single package, and there another repo available for takeover.
The Unclaimed Package
The package mailchimp_transactional also returns a 404 not found message at npm, showing that it is also unclaimed. Threat actors claim this package and can host malicious code on it.
Threat actors can take over the unclaimed packages to target public Mailchimp users’ systems by:
- Initiating Remote Code Execution
- Installing malware
- Implementing keyloggers and bitcoin miners
- Launching ransomware attacks
Mainchimp should update both the API documentation of the unclaimed packages.
- require(“mailchimp-marketing”) should be updated to require(“@mailchimp/mailchimp_marketing”)
- require(“mailchimp_transactional”) should be updated to require(“@mailchimp/mailchimp_transactional”)
*Note: Mailchimp was notified about this but did not respond to our disclosures, or rectify the issue.