SoylentNews
SoylentNews is people
https://soylentnews.org/

Title    Protecting a Website from Inadvertently Adding Malware
Date    Thursday January 11, @11:20AM
Author    martyb
Topic   
from the telemetry-for-the-masses-r-us dept.
https://soylentnews.org/article.pl?sid=18/01/11/0158234

pkrasimirov writes:

An interesting read for web developers: how hard is to (not) add malware to your site? David Gilbertson tried to answer this question for node.js and npm but the approach is potent for other package-dependency hells as well.

The malicious code itself is very simple
[...]
Of course, when I first wrote this code, back in 2015, it was of no use at all sitting on my computer. I needed to get it out into the world. Out into your site.
[...]
XSS is too small scale, and really well protected against.

Chrome Extensions are too locked down.

Lucky for me, we live in an age where people install npm packages like they’re popping pain killers.
[...]
People love pretty colours — it’s what separates us from dogs — so I wrote a package that lets you log to the console in a any colour. (sic)

I was excited at this point — I had a compelling package — but I didn’t want to wait around while people slowly discovered it and spread the word. So I set about making PRs to existing packages that added my colourful package to their dependencies.

I’ve now made several hundred PRs (various user accounts, no, none of them as “David Gilbertson”) to various frontend packages and their dependencies. “Hey, I’ve fixed issue x and also added some logging.”

Look ma, I’m contributing to open source!

There are a lot of sensible people out there that tell me they don’t want a new dependency, but that was to be expected, it’s a numbers game.
[...]

Of course it's all fiction written with a spicy pinch of nastiness but the described attack vectors seem all too real. What's your take on the matter? How do you hold the line there with all the dependencies which inevitably come (sooner or later) to a "professional" web site?

Or you can discuss it from user perspective. Have you tried Noscript with PayPal, Amazon, eBay etc. ?

https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5


Original Submission

Links

  1. "pkrasimirov" - https://soylentnews.org/~pkrasimirov/
  2. "Original Submission" - https://soylentnews.org/submit.pl?op=viewsub&subid=24218

© Copyright 2018 - SoylentNews, All Rights Reserved

printed from SoylentNews, Protecting a Website from Inadvertently Adding Malware on 2018-01-22 22:25:49