Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday January 11 2018, @11:20AM   Printer-friendly
from the telemetry-for-the-masses-r-us dept.

An interesting read for web developers: how hard is to (not) add malware to your site? David Gilbertson tried to answer this question for node.js and npm but the approach is potent for other package-dependency hells as well.

The malicious code itself is very simple
[...]
Of course, when I first wrote this code, back in 2015, it was of no use at all sitting on my computer. I needed to get it out into the world. Out into your site.
[...]
XSS is too small scale, and really well protected against.

Chrome Extensions are too locked down.

Lucky for me, we live in an age where people install npm packages like they’re popping pain killers.
[...]
People love pretty colours — it’s what separates us from dogs — so I wrote a package that lets you log to the console in a any colour. (sic)

I was excited at this point — I had a compelling package — but I didn’t want to wait around while people slowly discovered it and spread the word. So I set about making PRs to existing packages that added my colourful package to their dependencies.

I’ve now made several hundred PRs (various user accounts, no, none of them as “David Gilbertson”) to various frontend packages and their dependencies. “Hey, I’ve fixed issue x and also added some logging.”

Look ma, I’m contributing to open source!

There are a lot of sensible people out there that tell me they don’t want a new dependency, but that was to be expected, it’s a numbers game.
[...]

Of course it's all fiction written with a spicy pinch of nastiness but the described attack vectors seem all too real. What's your take on the matter? How do you hold the line there with all the dependencies which inevitably come (sooner or later) to a "professional" web site?

Or you can discuss it from user perspective. Have you tried Noscript with PayPal, Amazon, eBay etc. ?

https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 4, Informative) by The Mighty Buzzard on Thursday January 11 2018, @11:47AM

    Given all the fun I've had with external dependencies over the years (I started Linux on Slackware), I try to avoid them when possible. Unless there's a damned good case for a package being included at all, it doesn't get included. If its functionality is crucial and it's something I can write myself without wasting huge amounts of time, I write it myself.

    That's professional coding though. I don't put the same level of scrutiny on say a personal IRC bot that I don't really give two shits if it has to die from unmaintained or insecure dependencies. Writing my own libraries just because I can hasn't been something that has excited me for a long time now.

    --
    "Buzzy, you're probably the dumbest person I've ever encountered. Well, there is aristarchus, so make it 2nd dumbest."
  • (Score: 1, Insightful) by Anonymous Coward on Thursday January 11 2018, @12:03PM (5 children)

    by Anonymous Coward on Thursday January 11 2018, @12:03PM (#620900)

    Don't allow javascript. problem solved

    • (Score: 0) by Anonymous Coward on Thursday January 11 2018, @12:18PM

      by Anonymous Coward on Thursday January 11 2018, @12:18PM (#620906)

      I allowed a script and I liked it.

    • (Score: 2) by Nerdfest on Thursday January 11 2018, @01:29PM (3 children)

      by Nerdfest (80) Subscriber Badge on Thursday January 11 2018, @01:29PM (#620924)

      This really isn't limited to JavaScript. Any language that support the external dependency management is susceptible to it. Java for web back-end and desktop, certainly, and there are others. It's one of the dangers of *any* external dependency.

      • (Score: 5, Insightful) by Arik on Thursday January 11 2018, @02:37PM (2 children)

        by Arik (4543) on Thursday January 11 2018, @02:37PM (#620936) Journal
        Yes, so the statement needs to be more generalized.

        Support a clear line between documents and programs.

        The web is a web of documents. Quit blurring the lines and this problem goes away.
        --
        "This font is yours, not mine."
        • (Score: 3, Interesting) by tibman on Thursday January 11 2018, @07:08PM (1 child)

          by tibman (134) Subscriber Badge on Thursday January 11 2018, @07:08PM (#621041)

          These documents sure have a lot of buttons and forms on them..

          --
          SN won't survive on lurkers alone. Write comments.
          • (Score: 0) by Anonymous Coward on Thursday January 11 2018, @08:38PM

            by Anonymous Coward on Thursday January 11 2018, @08:38PM (#621079)

            Just because you like to visit all those porn websites with tons of multimedia gizmos and credit card forms doesn't mean everyo- oh wait... this is the internet.

  • (Score: 1, Informative) by Anonymous Coward on Thursday January 11 2018, @12:54PM (2 children)

    by Anonymous Coward on Thursday January 11 2018, @12:54PM (#620912)

    you get to the site, all sources of scripts get listed, you click temp trusted (second icon) to the ones that look less alien, starting from the subdomains, and try if the site works.

    When you have scripts loading other scripts, or more than 10 distinct sources, it's better you leave for other sites altogether. If you need those sites browse through a vm. In fact all browsing should be done in a VM in $current_year IMHO

    • (Score: 1, Insightful) by Anonymous Coward on Thursday January 11 2018, @02:39PM

      by Anonymous Coward on Thursday January 11 2018, @02:39PM (#620938)

      > In fact all browsing should be done in a VM in $current_year IMHO

      That's for $current_year-1. In $current_year you get Meltdown/Spectre-type vulnerabilities that can sniff data over VM boundaries.

    • (Score: 4, Insightful) by rigrig on Thursday January 11 2018, @05:37PM

      by rigrig (5129) Subscriber Badge <soylentnews@tubul.net> on Thursday January 11 2018, @05:37PM (#620995) Homepage

      In fact all browsing should be done in a VM

      That won't protect you from the login page itself stealing your credentials.

      FTFS:

      I’ve now made several hundred PRs (...) to various frontend packages and their dependencies. “Hey, I’ve fixed issue x and also added some logging.”

      i.e.: the malicious payload is included in the javascript code served by the site itself, so even just allowing the primary domain (to get the site to work) exposes you.

      --
      No one remembers the singer.
  • (Score: 2, Informative) by Anonymous Coward on Thursday January 11 2018, @01:51PM (1 child)

    by Anonymous Coward on Thursday January 11 2018, @01:51PM (#620927)

    Have you tried Noscript with PayPal, Amazon, eBay etc. ?

    I normally have Javascript disabled while ordering from Amazon. It works fine.

    • (Score: 3, Informative) by termigator on Thursday January 11 2018, @06:38PM

      by termigator (4271) on Thursday January 11 2018, @06:38PM (#621024)

      Confirmed. I have ordered several times from Amazon with javascript disabled. Some interactive parts of Amazon may not work (e.g. pan/zoom product images), but you can search, select, and order.

      I believe Amazon has the economic motive to have minimal barriers for people to order since they are essentially a retailer, unlike other major web-based companies, and that counts for a large percentage of their profits.

  • (Score: 1, Informative) by Anonymous Coward on Thursday January 11 2018, @02:07PM

    by Anonymous Coward on Thursday January 11 2018, @02:07PM (#620932)

    Any company using Facebook as a context vector is redponisable for all damage including tracking by Facebook.

    Any website not selecting the correct and only package that are needed are responsible too.

    It falls under “knowing or should have known” in the court case.

  • (Score: 2, Insightful) by Anonymous Coward on Thursday January 11 2018, @02:19PM (10 children)

    by Anonymous Coward on Thursday January 11 2018, @02:19PM (#620933)

    What can be static content has to be static content
    Everything dynamic is done server side (so no offloading to the client to save electricity bill, the dirty secret nobody talks about)
    Server root tree is on a read-only share, if user submitted content exist it needs to be vetted/resaved and go to another tree that does not allow dynamic content

    But ofc that's not what we get, we get websites that require JS for basic link functionality and inane stuff like dynamic sizing, because % weights and anchor tags are apparently not hip and trendy (H.I.V. and tendy) enough for 2018

    • (Score: 5, Informative) by TheRaven on Thursday January 11 2018, @05:30PM (8 children)

      by TheRaven (270) on Thursday January 11 2018, @05:30PM (#620990) Journal
      You don't need JavaScript for dynamic sizing with CSS 3. You can have CSS rules that are conditional on window size. % weights aren't adequate for small devices because 50% of a 15" monitor and 50% of a 4" mobile phone screen are very different in terms of their ability to contain a useful amount of text. You often want a different display for these. The optimal width for a line of text to maximise readability is 66 non-whitespace characters. Approximating that on a very small or desktop-sized window can't be done simply by saying x% of the width. Fortunately, CSS selectors do allow you to encode more complex constraints.

      I've also learned that you can show and hide elements in response to a click solely in CSS, which is currently the only thing I use JavaScript for. [codepen.io]

      Apparently CSS is now Turing complete [complex-systems.com], even in the absence of JavaScript, so I wonder if it will become another vector for malware.

      --
      sudo mod me up
      • (Score: 0) by Anonymous Coward on Thursday January 11 2018, @05:57PM

        by Anonymous Coward on Thursday January 11 2018, @05:57PM (#621001)

        > I've also learned that you can show and hide elements in response to a click solely in CSS, which is currently the only thing I use JavaScript for. [codepen.io]

        That's how it's implemented here on SN. I have JS disabled, but I can still show/hide comments by clicking on the +/- buttons. I remember it being discussed when it was implemented (IIRC, by TMB), so you could search site or even the SN codebase for it :)

      • (Score: 2, Interesting) by Anonymous Coward on Thursday January 11 2018, @06:28PM (4 children)

        by Anonymous Coward on Thursday January 11 2018, @06:28PM (#621020)

        Or better yet, have your server emit a different version of the site for /mobile/ and /desktop/. There's no reason for this to be done clientside at all. Trying these one-size-fits-all approaches is exactly why people resent modern UI design (metro, gnome3, chrome, placeo-chrome [nu-firefox]).

        • (Score: 0) by Anonymous Coward on Thursday January 11 2018, @06:33PM

          by Anonymous Coward on Thursday January 11 2018, @06:33PM (#621023)

          *placebo

        • (Score: 2) by tibman on Thursday January 11 2018, @07:22PM (2 children)

          by tibman (134) Subscriber Badge on Thursday January 11 2018, @07:22PM (#621047)

          That's still bad. Desktop isn't just one resolution. Mobile resolution also varies wildly. Input devices (touch, click) vary and some computers quickly convert into tablets and stuff. In my experience mobile sites have reduced functionality because the company has to basically build two UIs that work differently. I prefer responsive websites over mobile ones.

          --
          SN won't survive on lurkers alone. Write comments.
          • (Score: 0) by Anonymous Coward on Thursday January 11 2018, @07:34PM (1 child)

            by Anonymous Coward on Thursday January 11 2018, @07:34PM (#621053)

            The reply was more about % weights not being accurate enough for mobile. Why not do all that mobile specific checking in a mobile specific site and leave the desktop site the way they've always been done since the dawn of the internet.

            • (Score: 0) by Anonymous Coward on Thursday January 11 2018, @07:41PM

              by Anonymous Coward on Thursday January 11 2018, @07:41PM (#621056)

              PS: In regards to reduced functionality, these mobile/desktop amalgam sites more often than not reduce functionality for desktop users in ways that may not be apparent immediately, pretty much in the same way clusterfucks like metro and gnome3 do (the classic being tasks that needed 1 click in the original version now needing 3 to 4).

      • (Score: 3, Informative) by Arik on Thursday January 11 2018, @08:21PM (1 child)

        by Arik (4543) on Thursday January 11 2018, @08:21PM (#621067) Journal
        Layout tags break the paradigm, whether it's by inches or points or percentages it doesn't matter it's still missing the point. The web server does not know and is not supposed to know what sort of display device is being used, it doesn't know whether it even HAS  a screen, and it is not in any position to be making any sort of layout decisions whatsoever. That logic needs to be in the browser instead.
        --
        "This font is yours, not mine."
        • (Score: 2) by TheRaven on Saturday January 13 2018, @03:20PM

          by TheRaven (270) on Saturday January 13 2018, @03:20PM (#621819) Journal
          Nice idea. You write the browser that can take arbitrary structured data with no layout markup and present it attractively and then get back to me. Whether you like it or not, Google managed to push the world to HTML5 and away from XHTML2 so that the user agent couldn't tell content and adverts apart.
          --
          sudo mod me up
    • (Score: 2) by stretch611 on Friday January 12 2018, @03:13PM

      by stretch611 (6199) on Friday January 12 2018, @03:13PM (#621396)

      we get websites that require JS for basic link functionality

      These are sites to avoid...

      Use some type of JS blocker... when you land on a site that has links not working, never return.

  • (Score: 1, Insightful) by Anonymous Coward on Thursday January 11 2018, @02:46PM (1 child)

    by Anonymous Coward on Thursday January 11 2018, @02:46PM (#620942)

    How to not add malware to your website: Easy. Don't add crap from untrusted sources to your website.

    How to prevent others from adding malware to your website: Easy. Don't allow others to add stuff to your website.

    • (Score: 2) by urza9814 on Thursday January 11 2018, @10:17PM

      by urza9814 (3954) on Thursday January 11 2018, @10:17PM (#621141) Journal

      Seriously...I mean TFS talks about this specifically as a problem in "professional" code, but I'd say it's a problem with amateurs who THINK they're "professional"...which is unfortunately all too common.

      If you're a professional, you know what the fuck you're adding to your software. Potential exploits aren't the only problem with importing unknown dependencies; you could also easily get screwed by licensing or other legal issues for one example. Or unintentional bugs. Professional developers don't just let any random code run on their box.

      Of course, there's a fine line between that and a full-blown case of NIH syndrome...but a small dose of NIH is just wise business, for the same reason that open source makes a lot of sense -- you need to own your code. If your business has millions dependent on some piece of software, you need to know exactly how that software is operating. Open source is nice, because it can protect you against vendors going under or locking you in, but it doesn't really help if nobody in your organization has ever bothered to actually look at that code. Even if you've got the source, if nobody knows how it works it's gonna take you a lot of time and money to get your devs up to speed. If you want to be protected, you need to have at least one guy contributing back to that code so SOMEONE knows what's going on.

      IMO: Professionals don't trust user repositories. This article refers to npm, which "...has no vetting process for submission, which means that packages found there can be low quality, insecure, or malicious." If you think that is suitable for a professional environment, you aren't in one.

  • (Score: 4, Interesting) by bradley13 on Thursday January 11 2018, @03:00PM (1 child)

    by bradley13 (3053) Subscriber Badge on Thursday January 11 2018, @03:00PM (#620944) Homepage Journal

    I really dislike unnecessary dependencies. Which is generally to say: I dislike it, when people add frameworks. They often want one little convenience method, which happens to be offered in some OSS framework containing hundreds of classes. Which itself may bind in 2-3 other frameworks or OSS packages, which may have further dependencies of their own.

    And you have no clue what any of it does, because you just wanted that one little thing.

    Just now, I'm in the process of grading dozens of semester-long student projects. Pretty substantial things: client-server applications. You can see the difference: some of them come in sleek: a few thousand lines of code, a few hundred kb. Three of them are over 100 times as large as that - over 100MB. I haven't looked into the "why" just yet, but it's a fair bet that I'll find a bunch of external libraries, among other sins.

    Big companies are really bad about this, on their web pages. As discussed in the comments on another article: that's the reason their home pages are so huge: all the damned JS libraries they depend on, usually for no good reason.

    --
    Everyone is somebody else's weirdo.
    • (Score: 2) by termigator on Thursday January 11 2018, @06:52PM

      by termigator (4271) on Thursday January 11 2018, @06:52PM (#621031)

      I really dislike unnecessary dependencies. Which is generally to say: I dislike it, when people add frameworks. They often want one little convenience method, which happens to be offered in some OSS framework containing hundreds of classes. Which itself may bind in 2-3 other frameworks or OSS packages, which may have further dependencies of their own.

      Agreed. For cases where a big framework has something I need, I try to extract that one thing into my project (assuming licensing permits). Alternatively, I repackage the framework/library to contain what I essentially need. If that is too difficult, I end up writing it myself.

      As for big companies, it mainly comes down to compentency (the lack there of) and laziness. If there is no one involved that focus on long term maintenance of the software, most programmers will just slap together whatever works (at that time and likely with little to no testing) and push it out the door. I am curious on what the employee turn over is for large, bloated projects? When you know you may be working on a project for a long time, it can motivate you to make decisions that ease maintenance of the project, including avoiding dependency hell.

(1)