Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday January 11 2018, @11:20AM   Printer-friendly
from the telemetry-for-the-masses-r-us dept.

An interesting read for web developers: how hard is to (not) add malware to your site? David Gilbertson tried to answer this question for node.js and npm but the approach is potent for other package-dependency hells as well.

The malicious code itself is very simple
[...]
Of course, when I first wrote this code, back in 2015, it was of no use at all sitting on my computer. I needed to get it out into the world. Out into your site.
[...]
XSS is too small scale, and really well protected against.

Chrome Extensions are too locked down.

Lucky for me, we live in an age where people install npm packages like they’re popping pain killers.
[...]
People love pretty colours — it’s what separates us from dogs — so I wrote a package that lets you log to the console in a any colour. (sic)

I was excited at this point — I had a compelling package — but I didn’t want to wait around while people slowly discovered it and spread the word. So I set about making PRs to existing packages that added my colourful package to their dependencies.

I’ve now made several hundred PRs (various user accounts, no, none of them as “David Gilbertson”) to various frontend packages and their dependencies. “Hey, I’ve fixed issue x and also added some logging.”

Look ma, I’m contributing to open source!

There are a lot of sensible people out there that tell me they don’t want a new dependency, but that was to be expected, it’s a numbers game.
[...]

Of course it's all fiction written with a spicy pinch of nastiness but the described attack vectors seem all too real. What's your take on the matter? How do you hold the line there with all the dependencies which inevitably come (sooner or later) to a "professional" web site?

Or you can discuss it from user perspective. Have you tried Noscript with PayPal, Amazon, eBay etc. ?

https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Insightful) by Anonymous Coward on Thursday January 11 2018, @02:46PM (1 child)

    by Anonymous Coward on Thursday January 11 2018, @02:46PM (#620942)

    How to not add malware to your website: Easy. Don't add crap from untrusted sources to your website.

    How to prevent others from adding malware to your website: Easy. Don't allow others to add stuff to your website.

    Starting Score:    0  points
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  

    Total Score:   1  
  • (Score: 2) by urza9814 on Thursday January 11 2018, @10:17PM

    by urza9814 (3954) on Thursday January 11 2018, @10:17PM (#621141) Journal

    Seriously...I mean TFS talks about this specifically as a problem in "professional" code, but I'd say it's a problem with amateurs who THINK they're "professional"...which is unfortunately all too common.

    If you're a professional, you know what the fuck you're adding to your software. Potential exploits aren't the only problem with importing unknown dependencies; you could also easily get screwed by licensing or other legal issues for one example. Or unintentional bugs. Professional developers don't just let any random code run on their box.

    Of course, there's a fine line between that and a full-blown case of NIH syndrome...but a small dose of NIH is just wise business, for the same reason that open source makes a lot of sense -- you need to own your code. If your business has millions dependent on some piece of software, you need to know exactly how that software is operating. Open source is nice, because it can protect you against vendors going under or locking you in, but it doesn't really help if nobody in your organization has ever bothered to actually look at that code. Even if you've got the source, if nobody knows how it works it's gonna take you a lot of time and money to get your devs up to speed. If you want to be protected, you need to have at least one guy contributing back to that code so SOMEONE knows what's going on.

    IMO: Professionals don't trust user repositories. This article refers to npm, which "...has no vetting process for submission, which means that packages found there can be low quality, insecure, or malicious." If you think that is suitable for a professional environment, you aren't in one.