One Script Tag Just Pwn'd Over 100,000 Websites
HTML-код
- Опубликовано: 26 июн 2024
- Polyfill dot io is compromised. The results are terrifying. Everyone from Hulu to The Guardian to Intuit is currently pwn'd.
SOURCES
sansec.io/research/polyfill-s...
x.com/rich_harris/status/1805...
x.com/Cloudflare/status/18057...
blog.cloudflare.com/automatic...
Check out my Twitch, Twitter, Discord more at t3.gg
S/O Ph4se0n3 for the awesome edit 🙏 Наука
New idea for an ad blocker: Injecting Polyfill script tags into site
from the producers of "pretending to be a malware analysis environment"!
@@chriss3404 "pretending to be a VM", I actually saw that thing implemented somewhere, I don't remember where tho
Dunno if this was a joke, but uMatrix allows you to block ALL third party JS. Which in this day and age is something you should definitely be doing by default.
Million dollar idea
PolyBlocker sounds so cool now that i think about it
"Isn't NPM the same? There are a million who-knows-whats in my module directory. It took 30 minutes just to delete dependencies that depend on dependencies, a million times over.
I wonder about it too.
This is a good question
It is and supply chain attacks to npm aren't new either. It's a shitshow.
I think this happened with npm already. They have protections against it.
@@secret8squirrel316 not nearly enought, protection on npm is like closing the door unlocked instead of letting it open completely
15:45 the reason they didn't pin it to a specific hash is the most dangerous thing about pollyfill, it changes based on user agent. Each user may be served a different js file, so you can't pin the script to a specific hash. They give full control of what may be PAYMENT PAGES to a script that randomly changes BY DESIGN! Don't embed things like pollyfill, even if you don't have evidence of it being compromised.
if I want to use a less popular js package, I have to make myself to read it or else I can't sit with the idea of deploying it. I can't imagine dropping a script tag into a project of mine without an integrity attribute... terrifying.
I thought the subresource integrity spec allows multiple hashes. In theory one could have enumerated all the user agents the cdn would see and hashed the expected polyfills
@@KyleTen2enumerating all the user agents sounds hard. Easy to capture all the ones you have seen in the past but impossible to comprehensive coverage of the future.
@@KyleTen2 I thought this too, but looking through the MDN at a cursory glance, it's at the very least not common knowledge.
It makes a ton of sense as an enhancement though. Dynamic content without the risk would be pretty awesome.
This is why payment systems like Stripe, by default, use s to host the actual credit card fields. That approach makes compromising a credit card much harder to do. All the attacker can get is a useless opaque payment identifier that can only be used with the Stripe account's secret API key, which they don't have. Stripe would prefer everyone use their Checkout system, which is far more secure than anything the average dev can churn out, but that's an unrealistic perspective because Stripe Checkout has some pretty significant limitations.
Working in one of the largest bank of Australia. I told my manager about this polyfill thing he was still not convinced after your tweet . Now sharing this video to him. Reason being i am having 2 yrs if experience while he is industry for last 15 yrs.
Your comment made it sound like you decided to show your boss a tweet/video from some tech RUclipsr instead of a more authoritative source like Cloudflare or the Polyfill maintainer(s)...
@@elhamnazifthis is a much better approach! although Theo is a good source of tech news, to convey the message to a “professional” use the damn direct original source lol
Yes, when you cite a tweet by a hipster-looking youtuber as the most convincing evidence of 100k wide attack, you look like an inexperienced impressionable fanboy. No hate to Theo, but to anyone who isn't familiar with him he's just a random influencer with no credibility. You should've cited Cloudflare.
15 years and he can't see the issue with polyfill?? Crazy, bro must've been sleeping for at least 10 of those years
As an Australian that uses banks, I’d love to know which bank your talking about
Damn. I had no idea. Terrifying knowing how when repos like Polyfill are bought by different companies, they can do what they please with what they own, whether for the good or not. In most cases, the company that takes over has good intentions, but in the case of Polyfill, it's clear that this wasn't the case.
He didn't own it
@@everythingponyyes he did, then he sold it
@@Mitch-xo1rd So he didn't own it... when the bad things happened.
Moral of the story: self-host everything, don’t rely on anything external. Even for something as harmless and innocuous as a CDN like JSDelivr, there are implications. What if JSDelivr is down the day your site goes viral, to name one example?
Big companies can't do that. Especially is the big company is not one big provider like google or something.
Those are additional costs that many people can't foot.
Using non-checksumable external libraries is a terrible idea? Who would have thought!
It's such a basic knowledge, I don't understand how anybody would even omit it.
It's like using installing NPM modules, without specifying a static version. The next dev that's gonna touch it may unknowingly change the entire build' package or even introduce some nasty garbage simply because "npm install" went for the newest thing...
@@shapelessed It's not that they omited it, polyfill io by design could not be checksummed. It generates JS dynamically to polyfill based of the browsers UA-string and a given set of features you need.
So the file was always different.
The entire sales pitch is that, if the browser is up-to-date, you can skip downloading the polyfill.
That's probably what made it a valuable attack target in the first place.
But it's still a pretty bad idea regardless. You are trading that little JS overhead for complete trust in the provider of the script. Even with the cloudflare mirror that's not a good idea, and possibly a GDPR violation
People should vet their dependencies before adding them. Insted they just go NPM install
@@shapelessed regular dev with deadline pressure be like: insert external libs to get shit done go brrrr
@@nordern1 What to do for supporting old browsers instead? I need it for my company
You passed over nintendo in that list, holy f u c k
actually that might mean the switch's Eshop was compromised as well
Its wild that they got the github repo too? Like idk that seems weird.
exactly. they deleted the github issue where people were asking if they got bought by a chinese company, and some completely empty account closed it before the deletion happened and said "polyfill not managed by chinese company, by us based cdn company.".
exactly. they deleted the github issue that was asking whether they got bought out by a chinese company and some completely empty account closed the issue before the deletion saying, "please provide full url with version that is not working, we will clear it from cdn cache." then "polyfill not managed by chinese company, by us based cdn company."
And this is why I never deploy production code that calls a third-party CDN. If you're doing that, you are trusting that third party to send you the script you're expecting every time someone loads the page. But they absolutely could send you literally whatever they want instead.
I would expect the Cloudflare status page to be running outside of their CDN infrastructure to keep it available during outages so it isn't entirely surprising that they came up with an easy way to avoid the issue and forgot to apply it to that separate part of their systems.
It should definitely be on a bunch of checklists now though so that nobody will forget about it for a while.
To be fair: even before Chrome, Firefox had already put significant pressure on Internet Explorer, Safari and Opera to embrace standards (although to be really fair, IE was the only real problem child). Chrome was just doing what Firefox already started but with the leverage of better UX and more marketshare. I am glad they killed the old web.
Exactly. Firefox was always praised for following the standards.
> Chrome was just doing what Firefox already started but with the leverage of better UX and more marketshare
And more monopoly and more webp and less jpegxl
if only the old web had a matching standard cause it just looked SO GOOD
@@4kleidisc That's just design sensibilities. If you still want to make websites that look like that nothing is stopping you, and with modern web standards it's actually even easier now than it was back then.
@@timseguine2 true, and i am a sucker for good design haha, even if my taste isnt the best
6:15
I love the TOS going "Oopsies, we may give you a virus, we cant know for sure!!,1!! Plz check urself for any viruses we may or may not have put on your website!!!111!,"
I love how the thing says JSTOR is being affected by the polyfill hack and you're like "cool, let me go open that right now".
Not a risk unless you actually have an account singed in on that website.
he's probably not using it, so he's not compromised.
It is fairly trivial to disable javascript, which can allow you to go to any site that is compromised without issue.
Plain js cant do much to your host os anyway, most it can do is spam you with alert();. The problem is because the js can just yoink whatever info you put on the website or redirect you to a phishing page, as long as you are just inspecting the website without entering info, though, its fine.
@@BattyBest Unless you are logged in, in which case it can also do extra fun stuff like potentially hijack your account, and do loads of things on the site on your behalf.
6:20 are they suggesting developers to embed an antivirus on their website?
I also didn't get that part
The way I snickered when you @'d hulu.... that is rich lol
Where does Theo gets his shirts? They look terrific
That looks like a batik. Originated from Indonesia
@@irumidesu9236 obligatory SEA/Nusantara heritage mention. Indonesia AND Malaysia (also Brunei and Singapore)
This one was Topman pre-acquisition, they’ve fallen apart since
Used to love Express as well but they’re collapsing atm
Will let people know when I find a good shirt source 🙃🙃
@@t3dotggyou should try Rhoback! i know you’re fashionable so would love to hear about your thoughts
For the cloud flare status page, I'm assuming they can't serve that page using their caching/rewriting layer - if there's a problem with the core service and the status page is proxied by it, nobody would be able to view the status.
They could have updated the HTML for the page though lol
That said, they are using Atlassian’s status page service so they would have to pressure them to fix it
@@t3dotgg agree that they could have manually fixed jt. Didn't dig deep into how they served it, just that it would be easy to miss the page that is handled differently from everything else. "Ok... We pushed a fix that mitigates the immediate threat, no longer a critical bug to address all of the pages individually." ... "Oh... Missed a spot"
so as a new new dev I'd been wondering for a while about the security of CDNs and cross-site linking which, back in the day was almost exclusively an attack method, that I keep being instructed to use. Is the benefit of not serving a 20kb css or js file yourself really worth it?
Your intuition is correct, this is very dumb to do
What? You mean just tossing in the cdn script isn't the best idea?!?!?!
I was visiting few sites last month and i was being redirected to a betting site. I thought I clicked some ad 😮
wow, same (I think, not sure what site redirected me to a betting site)
Many of such supply chain attacks are often avoided by using a specific, static version of an NPM dependency.
But I guess, in this case, the theoretical use case for that "tool" didn't allow for that too much.
Malicious companies do the same thing with browser extensions. They give the original team a ridiculous amount of money to buy the extension, then sever malware through it.
It’s crucial that you use the integrity attribute with a hash of the JS code on all your external script tags to protect against attacks like this! You still need to verify the safety whenever you add or update any external dependencies, but at least this prevents malicious third parties from changing the code under you.
polyfill's service did not work with checksum hashes because it served a completely different JS file with different patches based on the user agent of the browser. You had to entirely trust that the content they were distributing was safe, and clearly that turned out to be a terrible idea
@@Brixster I agree, so that's a reason to avoid it! You should always use the integrity attribute, so you can't use such a service
SRI integrity hashes should be used when loading all external scripts.
I can't believe these huge sites are using dynamic content delivery like that. I know its a thing but for like an actual production site it seems insane to just be like "yeah go get whatever javascript comes from this link". Nuts not to pin a version and send it from your own server...
The only good thing about this is that it could have been much much worse and gone undetected for even longer.
that’s why i host my own CDN.
If i throw the polyfill url into my adblocker I should be fine right?
like if my client refuses to fetch it, then surely I am protected?
Too bad Chrome Manifest V3 is going to kill this functionality
You cloud vlock it at DNS level
Thanks Theo!
Scary stuff. I wonder if this is what took down Tesco online shopping recently.
Using polyfill and other libs like unpkg and jsdelivr has always been really distasteful to me. Literally bundling arbitrary code that can be swapped out during prod. Of course there are mitigations, but just bake in the libraries you need into your own application...
Imagine if this happens with a UI library that uses external scripts, like Bootstrap, Semantic UI, etc.
Yeah, it always has been awful. And many seem to think it's okay.
Yeah, for a little "lets just slap this in and try it out" sure, but the moment it's more than "hmm thats interesting" you need to be serving it yourself. It's more performant and safer. And easy.
@@bruwyvn bootstrap has almost always suggested to use an integrity attribute if you're just nabbing it via a script tag (and they link out to jsdelivr for it, not self-hosted). But yes, this is why you don't link to anything that doesn't have an integrity attribute to lock it down, and why pollyfil is difficult/impossible to secure; it changes delivery based on UA, so you can't give it a single integrity attribute.
if you use the integrity attribute on the script tag, you can guarantee that they can’t change it, so the worst case scenario is a DOS attack by just not serving the file
Me watching this with Hulu paused on the side: 👁👄👁
CDNs are fine, as long as you use the integrity attribute in your tag (at least for now...)
What’s that do ?
You can't because it updates dynamically
@@Cognitoman Provides a hash of the file that should be served by the CDN as part of the HTML, so that if JS the user gets isn't identical to the JS that you (the developer) intended them to get, it fails to load. It works as long as you control the HTML and don't expect the JS to "auto-update" in the background, which many people do, despite how dangerous it is if you can't 100% trust the CDN.
I thought it was obvious to NOT load scripts from external sites for security reasons, guess I was wrong.
Could it be that Cloudflare Status was explicitly not using the Cloudflare-hosted library, so that it is still available during Cloudflare's downtime?
Shouldn’t browsers block polyfill domain at that print?
I think a more secure method of using third-party scripts would be to first redirect them to a "center-point," which is essentially a file on your website that serves as an import for the scripts. You can then link that file to all of your pages instead of directly linking to the script. This way, if you notice any security breaches, you can simply remove or replace the single import file rather than spending a lot of time changing it on every page.
I still have to leave before I get an aneurysm...
But what does this do to the end user?
Who sold the domain and github account to these people? How much were they paid for it and why did they not feel a duty of care to the 100,000 sites who were currently trusting the scripts source?
Never remote load a resources where you don't solely own the remote host. If you need to use a remote resource, download it, and upload it to your own CDN.
You must, must, verify the libraries you use.
cant imagine big framework just suddenly gone and those config dont work
Couldn't you use something like a Pi-hole to block all traffic to the Polyfill website on your network to protect yourself?
I think you could do this with the hostfile too, but you would need to do that on every device.
Crap like this is why I run the NoScript browser add-on and only selectively allow JS to run on my browsers.
no script + ytdl. will adding polifill to firewall help?
well, this is the second attack of such scale on open source community from chinese and affiliated parties
what was the first one
@@skyjumper4097 I think he is refering to Agent 77 (Jia Tan). Where there is no proof as far as i know that agent 77 is chinese.
XZ Backdoor @@skyjumper4097
@@skyjumper4097attack on XZ was found few weeks ago. probably there are more that don't come to mind immediately
@@skyjumper4097 the xz backdoor probably, but it was never confirmed that the assailant was chinese
Can someone please give me tips on how to change this library on my project?
question, why are we not able to have checksum hashes on script tags?
though i suppose this wouldn't work with poly fill lol
my nextdns config is blocking the domain.
one of the reasons I import the libs i wanna use and bundle them. never sat right with me to use cdn for my sites functionality
the shirt is PRICELESS
One tag to rule them all
This is really alarming….
The original domain appears to be down?
Sorry for offtop, but I can't find it anywhere - what operating system is Theo using here? I only found that he uses Windows 10, but it's a post from last year, and it doesn't really look alike win10 xd
Windows? I've always seen him using Mac
You went to the network tab instead of just 'view source' ?
I struggle watching content where the person is just reading lines from an article. It's like the most lazy form of content generation ever. This entire video could have been summed up in 60 seconds or less.
It's your choice
We should just copy the script and put it in our own repository.
Whenever I run "npm install" my heart skips like 10 beats. You could pull malware at any given time and let's be honest it's almost impossible to know.
Not unique to npm, but yes that is a valid concern and is why a lot of companies, who care about security and have the resources, invest those resources in maintaining their own internal mirrors and vet any dependency being mirrored. This is unfortunately not so easy for majority of small companies to do, so they would have to trust a third-party anyway.
It's not like you can't check the code
@@juliansoto2651best of luck manually analysing 5k packages everytime you npm install
@@juliansoto2651 Oh yes ofcourse, let me just go through a couple million lines of code in the libraries in my dependency graph, and re-check at every update. Why didnt i think of that?
@@juliansoto2651 "It's not like you can't check the code"
when you have like 100 dependencies, they will most probably have 1000 of unique dependencies itself, imagine putting a one liner backdoor in one of the backone packages, image like "is-odd" package, its simple, its everywhere. the thing the package does is simple, so adding one more line and jank code will most probably trigger some people, but if you manage to do it in a way that the code seems legit, you are good to go
Is there a CVE for this?
This is why I have made sure to not use any external/cloud resources.
It is nuts.. to run code that you don't control.
Not a dev, is there a way to filter out from the html any that loads polyfill, before the page is read and rendered?
You can block the domain using hosts or firewall. I think ublock can do that, but i dont know the syntax.
You can block the domain in Windows/Linux by adding the polyfill domain to your HOSTS file to eat it
Otherwise, ad blockers can do it
Could this also affect React Native mobile apps, through dynamic code loading?
It would be weird for a react native app to use polyfills.
@@thekwoka4707 could be an older React app ported to React Native that the polyfill is still being loaded in because it is assuming a web environment when it isn't
@@thekwoka4707 it doesn't have to be polyfills, just a js library used in the app is enough
okay, but heres a question.. you say these sites pointed to the cdn polyfill domain
but if this domain DIDNT exist before, why did they add the domain to their page?
Thats why i allways self host this scripts
Can confirm they are still using polyfill
Don't name your project/library something that would be a valid web domain. Especially not if you don't even own said web domain.
I'm not seeing this get asked anywhere, so maybe my ignorance is showing. If the URLs where the scripts are being loaded from are the domain in question, and the polyfil project people say they never owned the domain nor were responsible for it's sale - How was it even being used to source files from? How would the A record -> IP address link work if they didn't have ownership of the domain in the first place? And if it were never owned by them, why use a domain they didn't own, in their scripts?
did he disable javascript before visiting hulu?
I don't think the script can do anything meaningful without a logged in account etc. Nothing to steal there.
what browser u use
What about those third party sites as well fake google analytics name? and the free host paste pin for codes.... I feel sad...
This is why the script tag has an integrity attribute if you are smart enough to know how to use it.
The reason they didn't pin it to a specific hash is the most dangerous thing about pollyfill, it changes based on user agent. Each user may be served a different js file, so you can't pin the script to a specific hash. They give full control of what may be PAYMENT PAGES to a script that randomly changes BY DESIGN!
Or using a strict Content Security Policy. The script could run and read whatever they want but nothing could be sent out.
@@OliverPlummer905 CSP is only used for loading resources like images and js though, not for outgoing connections.
@@OliverPlummer905 CSP isn't going to help, the script served from the URL is already "trusted" by the website, otherwise it wouldn't work in the first place. There's no way to specify CSP policy that says "if this resource's contents changes, then deny access to it".
@@dealloc You can do it using the integrity attribute, it's generally a hash of the script, so any time the script changes and the hash doesn't, it fails to load the script. However in this case it's impossible to do because the script changes based on the user's browser so you can't know the hash in advance.
This is terrifying… I guess I know the first thing I’ll do at work today (check if we have it even if I think we don’t)
GOTTEMMMM
ad networks put js on your site that comes from whoever has paid enough for a designated consumer profile.
Simply put, once one adds a tag to a 3rd party , it has full control over that website
Since Javascript can modify everything with DOM manipulation and by Overriding/Overloading Event Listeners
One may use 3rd party scripts to speed up development, local copies of said script if possible.
Then, later on, drop those dependencies one by one. If not, they will eventually turn into vulnerabilities that create security and service issues.
@0:21, That's rapid7.
How do you make a website without owning the domain? I don't get it? How does this happen?
could be a seperate entity hosting the website, but the entity most likely sold the website (domain) to another entity
I always thought that using scripts from an external source was a bad idea. if you want to use the script, host it yourself. At least then you can scan the code and pin yourself to a specific version
This is why I include scripts in my web app and run an integrity check on it, even if its locally loaded.
Not to offend you but do you ever get comments that you look like Jerry Attricks from Scott the Woz in your thumbnails
Making websites work in IE7 is very important ... imagine the revenue and wisdom this demographic has to offer!
I actually abandoned a person for running windows 98 in 2012
@@MattHudsonAtx Thank you for your service! o7
IE7 need isn't very common, but there are lots of corporate webapps. I had to support IE6 long after it was replaced. When you have 10 companies using your products, just having one of them refuse to upgrade is enough to require having to support them. Web apps are used for a lot more than public internet websites.
@@username7763 and all of them use the inherent non-security to work :)
Same shit happened with Faker for PHP, if you generate in image, the domain changed owner.
hariga bhai hariga india hariga
The real question is who is the person that sold it to this Chinese company?
This is why I don't use polyfill, this is why I block polyfill via no-script... But seriously, a lot of web developers need to learn IE9 does not exist anymore.
this just feels like xz again. random thing everybody uses but nobody cares abt or pays attention to gets compromised, chaos ensues.
Except this one is actually affecting a lot of stuff unlike xz
i use adguard home, umatrix and ublock am i affected?
yes
If you use Hulu, yes.
ublock origin already has it filtered out, you can try access polyfill dot io and you'll see
uBlock updated their filter list to include the polyfill domain as of June 26th. So likely not anymore. But it would seem prudent to change your passwords on sites that were affected.
Wait, a dude created a service, and all of a sudden he's not the owner?
I understand it was most likely a group effort, albeit that should be noted in the repo for such cases where a threat actor could obtain a github account and the domain.
This just seems like a weird way to go about this.
4:18 Oh no... how terrible.... Oh no. That one's probably a useful feature.
"Academic research", my ass.
This is why you should never embed an external package, ever.
Instead, if you need the script for what you are doing, host it yourself.
Chat GPT is using this Library. I tweeted at them please complain to to them too.
Supply chain problem... people adding 500 dependencies to their program.
Life going as normal LMAO
The ability of a website to load a script from anything it does not directly control was always going to get us into trouble. Just look at how many 3rd parties are accessed by a typical website. It's insane... and web developers and frameworks that encourage this model are at fault.
Unfortunately fixing the problem is going to be very hard. Unscrupulous ad companies are even starting to force websites to add cname records so their scripts can "appear" to come from the first party! The only solution here is to make things much stricter:
- Restrict script tags such that they must be served *from the same IP* as the primary page. No exceptions. No DNS bypasses. *SAME ORIGIN BY IP* or your script is blocked.
- The HTML must embed a hash of the script it is going to load, and that hash must match or the script will be blocked.
- If a website communicates with a 3rd party domain, each individual domain will be presented to the user in a list to be approved.
Will this break a *ton* of sites? Yes. Do they deserve it? Absolutely yes. Is this proposal practical? Of course not, but anyone who is honest about the state of the internet will agree that what we're doing now can't continue.
I always think about astro neovim downloading 200 dependencies from random repos at my machine 😅
Well that's how open source software works half of the time
Should've rewritten it in rust.... wait, the service is already written in rust. Doesn't that mean rust is insecure? /j
Rookie mistake, should've used C! /j
Ive always thought running turing complete code in browser was a mistake. Can you imagine going back though? I gladly would, but it aint gonna happen. Itd be the death or upheaval of entire industries. In my mind, itd be worth it. I mean, we might lose social media, and a lot of addictive algorithms. Oh the humanity.
What is amazing is that this wasn't a sophisticated attack, and they didn't even try to stay hidden. Just imagine the possible damage if these attackers were competent and not basically SEO trolls. Still convinced that this is just a symptom of an issue affecting all of JS(and a lot of other programming languages as well): Small, useless libraries, and package/dependency managers. People don't even realize when they 100x the size of the trusted compute base.
Morale of the story...
If you actually care about open source, and the internet don't sell off your dead project to a chinese developer