Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Dependency Confusion Vulnerabilities in Unity Game Development
Jason Kielpinski - Include SecurityPosted 4 Years Ago- Unity package registries, referred to as UPM, work using the same protocol as the Node package manager (NPM). Unity allows for private registries to be used in this environment.
- So, what would happen if a outside user created a Unity package with the same name as a private repo? Whatever has the higher version will be used during the installation process. This means that a malicious attacker who knows the name of an internal repo can hijack it.
- The ability to hijack repositories has been a vulnerability as of recent. It may be worth taking the time to look at other packages managers to see if the public takes precedent over the private in some way. Overall, great find though!
