MavenGate: New Threat Allows Hijacking of Java and Android

A recent analysis has uncovered a potential security threat known as MavenGate, which exploits abandoned but still utilized libraries in Java and Android applications. The attack method allows hackers to compromise the software supply chain by exploiting vulnerabilities in default build configurations. According to the report, access to projects can be hijacked through domain name purchases, making it challenging to detect ongoing attacks.

The vulnerability lies in the widespread use of public and popular libraries that have been abandoned but are still integrated into Java and Android applications. MavenGate enables attackers to hijack artifacts in dependencies, injecting malicious code into applications. Furthermore, it poses a risk of compromising the build process itself through the introduction of a malicious plugin.

The researcher has reported that all Maven-based technologies, including Gradle, are susceptible to this attack. The company has notified over 200 organizations, including major entities such as Google, Facebook, Signal, and Amazon, about the potential risks.

Apache Maven, a widely used tool for building and managing Java-based projects, becomes a target in this attack. Attackers leverage the inclusion of abandoned libraries in known repositories, exploiting weaknesses in the build process. The method involves purchasing expired reversed domains and obtaining access to the unique identifiers (groupIds) associated with the libraries.

To demonstrate the attack scenario, the researcher uploaded a test Android library to Maven Central and JitPack, showcasing how an attacker can manipulate the dependency repository list in the Gradle build script to compromise the software supply chain. The researchers also emphasized the lack of security measures in many applications, as most do not check the digital signature of dependencies. This opens up the possibility for attackers to release new versions of libraries with embedded malicious code, remaining undetected until developers upgrade to the compromised versions.

Out of 33,938 analyzed domains, 18.18% were found to be vulnerable to MavenGate, allowing threat actors to hijack dependencies and inject their own code. While Sonatype, owner of Maven Central, believes the outlined attack strategy is not feasible due to existing automation, it has taken precautionary measures by disabling accounts associated with expired domains and GitHub projects. Additionally, plans are underway to collaborate with SigStore to digitally sign components and enhance security.

The researcher emphasized the shared responsibility for security between library developers and end developers. Library developers should be accountable for declared dependencies and provide public key hashes, while end developers are responsible for their direct dependencies’ security. This highlights the importance of comprehensive security measures to protect against supply chain attacks like MavenGate.

To safeguard against the MavenGate threat, developers and organizations should prioritize the security of their software supply chain. Additionally, fostering a community-driven approach to security, where developers actively report and address vulnerabilities, can contribute to a more resilient software ecosystem. Stay informed about emerging threats and adopt best practices for secure coding to fortify defenses against potential attacks.