☕ Apple and Microsoft Hacked?

A researcher breached over 35 major tech companies exploiting a bug in common packet managers. We discuss how the bug works. Plus, a google interview question!

February 12, 2021

Hi Everyone!

Hope you’re all having a great day!

Here’s your Interview Problem, Yesterday’s Solution and Tech Snippets for the day!

Industry News

Loopholes in Dependency Managers exploited at Apple, Microsoft, Shopify, and dozens of other tech companies

Alex Birsan, a security researcher, earned over $150,000 in bug bounties by exploiting loopholes in package managers like NPM and pip.
Exploiting dependencies is a common method of attack. Examples include…
- Typosquatting - create packages that are typos of popular package names and include malicious code inside.
- Use after Free - find packages that no longer exist (have been removed from the package registry) and create a package with the same name. Put malicious code inside.
- Social Engineering - become a maintainer of a popular package that no longer has a maintainer. Upload malicious code.
Alex Birsan was observing one of PayPal’s package.json files and noticed that PayPal was using a mix of public and private packages. The private packages were internal to PayPal and didn’t exist on NPM registry.
He uploaded Node packages to the NPM registry using the same name as these private packages, testing if npm would install his public package in PayPal’s codebase by default.
The attack worked and various codebases at tons of Big Tech companies installed his “malicious” packages. Birsan would do this by checking the GitHub repos for these companies, looking for package.json files that listed the names of private packages.
Birsan was able to replicate the attack with Ruby, by creating a fake Ruby gem and using it to infiltrate Shopify.
The attack also works with Python’s pip package manager.
- When using pip install, pip first checks if the library exists on the specified internal package index.
- Then, pip checks if the library exists on the public package index (PyPI).
- pip then defaults to installing the package with the higher version number.
- You can exploit this by uploading a package with a version number of 9000 or some absurdly high number.
JFrog, a DevOps platform that includes a package repository, was also affected.

Read the Full Blog Post

Tech Snippets

Sebastian published a new episode of Coding Adventures, where he builds a Chess AI from scratch.
Past, Present, and Future of React State Management - A great blog post summarizing the state of state management in React!

Interview Question

Given two integers representing the numerator and denominator of a fraction, return the fraction in string format.

If the fractional part is repeating, then enclose the repeating part in parentheses.

If multiple answers are possible, return any of them!

Example

Input: num = 2, denom = 3

Output: “0.(6)“

Input: num = 1, denom = 2

Output: “0.5”

Input: num = 2, denom = 1

Output: “2”

Here’s the question in LeetCode

We’ll send a detailed solution tomorrow, so make sure you move our emails to primary, so you don’t miss them!

Gmail users—move us to your primary inbox

On your phone? Hit the 3 dots at the top right corner, click "Move to" then "Primary"
On desktop? Back out of this email then drag and drop this email into the "Primary" tab near the top left of your screen

Apple mail users—tap on our email address at the top of this email (next to "From:" on mobile) and click “Add to VIPs”

Previous Solution

As a refresher, here’s the previous question

You are given a linked list as input.

Reverse the nodes in the linked list in groupings of k, where k is an integer that will be provided.

k is a positive integer and will be less than or equal to the length of the linked list.

If the number of nodes is not a multiple of k, then left-out nodes, at the end, should remain as they are.

Example

Input - 1 -> 2 -> 3 -> 4 -> 5, k = 2

Output - 2 -> 1 -> 4 -> 3 -> 5

Input - 1 -> 2 -> 3 -> 4 -> 5, k = 3

Output - 3 -> 2 -> 1 -> 4 -> 5

Here’s the question in LeetCode

Solution

One really important concept to understand with linked lists is a sentinel node.

A sentinel node is a dummy node that goes at the front of the linked list.

So we first create a sentinel node (dummy node) that points to the head.

Then, we’ll iterate through the linked list and count k nodes. This becomes our first k group of nodes that we have to reverse.

We’ll create two pointers to keep track of the k group, one left pointer and a right pointer.

The left pointer is initialized to the start of our linked list and the right pointer is initialized to the kth node.

Then, we reverse the nodes between the left and right pointers.

After, we reset the left pointer to be equal to the start of the next k group and we repeat the process by iterating over the next k nodes.

Here’s the Python 3 code.

Can you analyze the time/space complexity of our solution?

Reply back with your estimate!

We’ll tell you if you’re correct (or we’ll tell you the answer if you’re wrong).

Best,

Arpan