Open source ecosystems and the tools that developers use have seen increasing attacks over the past three to four years, with so many “novel” attack vectors coming to fruition in 2021. In November, researchers at the University of Cambridge found yet another way to invade the open source community, called “Trojan Source“.

The paper “Trojan Source: Invisible Vulnerabilities” (PDF format), details how malicious adversaries can exploit a weakness in text encoders which compiles and interprets source code differently than how it’s displayed to developers. This, in essence, creates an invisible vulnerability that can’t be seen by the human eye and is a great threat to development environments if not properly addressed.

What is a Trojan Source attack?

As explained by researchers, Nicholas Boucher and Ross Anderson:

“This attack exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed.”

It’s a scary and high-risk attack for developers affecting both “comments and strings to appear to be code and vice versa.”

The full scale of this vulnerability is massive, potentially affecting almost every language and system from Linux to Webkit. The weakness exploits Unicode’s bi-directional or “Bidi” algorithm, which handles displaying text that includes mixed scripts with different display orders. This includes Arabic (right to left) and English (left to right). Because the editor misses detecting bi-directional characters in the source code, bad actors can inject malicious code that looks harmless.

Targeted development teams can pull in malicious packages, carefully review them for suspicious activity, and still not find any red flags. Thus, it is more important now more than ever for teams to have an effective, automated malware detection and protection system in place to secure your (Read more...)