SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow8317
The Node Package Manager (npm) team avoided a disaster today when it discovered and blocked the distribution of a cleverly hidden backdoor mechanism inside a popular —albeit deprecated— JavaScript package.
The actual backdoor mechanism was found in "getcookies," a relatively newly created npm package (JavaScript library) for working with browser cookies.
The npm team —who analyzed this package earlier today after reports from the npm community— says "getcookies" contains a complex system for receiving commands from a remote attacker, who could target any JavaScript app that had incorporated this library. The npm team explains:
The backdoor worked by parsing the user-supplied HTTP request.headers, looking for specifically formatted data that provides three different commands to the backdoor. [...] We can see here that the headers are stringified and the result searched for values in the format of: gCOMMANDhDATAi
(Score: 2) by crafoo on Friday May 04 2018, @03:29AM (4 children)
Javascript was a mistake.
(Score: 0) by Anonymous Coward on Friday May 04 2018, @11:52AM
Milk churning on a hot day. Roiling froth of UI and digestive acids. CPUs overheating from busywait, curdling thermal paste.
JavaScript was a bad idea.
(Score: 1, Troll) by Pino P on Friday May 04 2018, @07:28PM (2 children)
What cross-platform, sandboxed application runtime environment is not a mistake and should have been adopted instead of JavaScript? Or would you prefer that end users not be able to run an application at all because it's native and made for a different operating system?
(Score: 3, Informative) by crafoo on Saturday May 05 2018, @03:21AM (1 child)
What applications would people not be running? Because everything I've seen javascript used for is ads, page layout, and amateur-hour duplicated effort of better applications that exist on all platforms - so better served by loading a native app of the user's choice. Javascript was a mistake. The "sandbox" is a lie. Silently executing remote code was, and always will be the dumbest thing ever.
(Score: 2) by Pino P on Sunday May 06 2018, @03:24AM
Skype, Slack, and Discord are examples.* Or what distribution of server applications, consisting of an IRC server, a BNC so that people can see older messages sent to a channel, and a pastebin for attachments, should people be using instead of Skype, Slack, or Discord?
Another is client-side prevalidation to provide immediate feedback for invalid form input values faster than server-side authoritative validation can reload the full page.
Another is web-based video games. Or would you prefer Flash games to HTML5 games? Or would you prefer that games be paywalled so that a hobbyist developer can recover the cost of purchasing multiple computers on which to develop and test ports to multiple platforms?
Another is WebAuthn [mozilla.org], a proposed generalization of FIDO U2F authentication so that we can finally move beyond passwords and SMS to keypairs. Or would you require that it be integrated into HTTP the way basic authentication and MD5-based digest authentication currently are?
* Before you say "The native desktop apps for Skype, Slack, and Discord": These use Electron, which bundles a separate copy of Chromium for each application. In effect, you are downloading a web browser hardcoded to run one website.