PolyFill Vulnerability is WILD
Вставка
- Опубліковано 27 чер 2024
- Recorded live on twitch, GET IN
Article
sansec.io/research/polyfill-s...
By: Sansec Forensics Team
My Stream
/ theprimeagen
Best Way To Support Me
Become a backend engineer. Its my favorite site
boot.dev/?promo=PRIMEYT
This is also the best way to support me is to support yourself becoming a better backend engineer.
MY MAIN YT CHANNEL: Has well edited engineering videos
/ theprimeagen
Discord
/ discord
Have something for me to read or react to?: / theprimeagenreact
Kinesis Advantage 360: bit.ly/Prime-Kinesis
Get production ready SQLite with Turso: turso.tech/deeznuts - Наука та технологія
I'm always shocked that stuff like this isn't wayyy more common with how much of modern software is full of 100s of thousands of lines of code that the software provider didn't even write or likely read.
The buyout for open source projects seems like a way underrated vector…
You’re assuming it’s not. It can only be reported if it’s identified
It''s because there were lower hanging fruit, but now that things are getting slightly more complicated and because the money involved has increased so much for malware, etc.
The webdevelopment space went the last 6-8 years completely insane for the lack of a better word . JS workflows have way too many dependencies which not only open then up for supply attacks from all sides e.g React is not build by a company it which is not a software company for others which means Meta can stop supporting the project any moment they like. This is a house of cards.
GraphQL and Firebase and such DBs where you have direkt access from the client side is also a super bad idea we knew that even SQL is not good enough for security we have to pack them into PDOs this is a complete violation of security policies .
The REST APIs aren't that bad but RPCs are better when you are inside you own applications REST is for 3th party because in RPC you don't have to care of your types(means you need to care in REST) your own I mentioned this because MS dropped their own C# RPC support.
I also heard that React Native has a expo which let you update your Android or iOS iPhone app by bypassing their stores which is also a violation of security policies because they bypass their review process.
These attacks are probably are just as common as you think.
Back in the day it was Windows users downloading random executables from the Internet, infecting their PC with malware. Now it's web developers doing the same thing but with other people's machines.
You mean yesterday?
Prime: I only have node_modules in one thing...
...
Prime: Dude, I have clerk? 7:22
Prime: How did I download "The Internet" by having a "types" package!?
Software Engineering in 2024, step One: Download The Internet
On 150 floppy discs, too! The first 12 are nothing but pr0n, of course. One disc is dedicated to nothing but millions and billions of emoji, another is just the Google homepage and nothing else, and so on...
No, step one is to download an orchestration suite that downloads a manifest to compose a fleet of containers so you can run a microservice so you can get syntax highlighting over a socket for some insane reason.
Scaling in the cloud is safe and easy for everyone. Well, maybe not dissidents.
I have demanded for over 15 years, that no external resources are linked to any of our sites. I have waited for exactly this kind of an attack, or DNS spoofing attack that could cause the same but not at this scale.
Also when you link an external js or css, you are using someone else's resources instead your own and it isn't right and sometimes not even reliable. Too much traffic and the proveder could stop usage depending of the referer of the request.
"We don't want to hire an entry-level developer unless the developer has 5 years of experience". It's an interesting vector. You can get that experience
NEVER go to production with code that pulls from a CDN you don't control.
Yup, the fact that websites provide this as an option for their libraries is pure insanity.
That, of course, includes Google Analytics, Google AdSense, Google Ad Manager, and literally any Google product! Unless you are Google.
I still remember when the worst we had to worry about was the color.js dude throwing a fit because he wanted to get paid for making a library all the big tech companies used. Now we've got to worry that disgruntled developers aren't giving control up to foreign intelligence services on a multi-year OP, or just straight up selling it to the highest bidder.
And you think this doesn't affect corporate code? It does.
@@orbatos I'm willing to bet Microsoft can't be bought like that by the Chinese government.
Now by the NSA on the other hand...
@@Cafuzzler Lol can't buy what you already have, you mean?
Having a Chinese web page doesn’t mean anything, their page actually footer says made in USA. I hate people know nothing and start jumping into conclusions
@@geliba187 You're right. Just because they have a Chinese site, that doesn't mean they are bad. When they are injecting malware into polyfill.js, then we can conclude they suck dick.
I'm working on an embedded product to be used in an industrial setting. They want a basic web based interface. Some of the young engineers wanted to use node + CDNs + all the modern web magic. But I'm old-fashioned and don't trust stuff that's either too large or dynamically downloaded, so used minified versions of the libraries I needed (bootstrap and jquery), and wrote the server side CGI in bash scripts. It all turned out to be shockingly simple to do, and completely side-steps the risk shown in this video.
CDNs are fine if you control them (like your own Cloudflare, CloudFront, BunnyCDN, etc account). For an embedded product though, you probably just want to have all the content locally on the system (like you said).
@@Daniel15au That's not controlling the CDN. Do you own any of those companies? No? Then you don't actually control the CDN.
What happened to eslint recently?
I want to know as well.
Yeah I'm out of the loop lol
same lol
Wanna know
Same here - did the Primeagen just troll us??? Lol
Having tons of dependencies of unaudited code has been known security risk all time. I do have in my projects dependencies but almost all of them I have someone curating them, or they are well funded (like React) rest of the dependencies I do check the code or fork.
I generally avoid dependencies.
I am doing the same, like:
- This controls the GPU, the only depency is a NVIDIA lib
- This interfaces with Win32 and uses a MS lib
@@tablettablete186
When writing software that runs in browser, it doesn't necessarily require any dependencies.
FunNull that's some impressive naming right there 😂
And obviously funnel people into using their hacked versions...
Prime not fully appreciating the github auctions joke 😭
Shit had me rolling 🤣
wow, I got it now 🤣
added that questionable domain to my internal blacklist so that none of my devices can inavertantly access it and load it from the cdn. Who cares if anybody's sites break at this point.
@@redneckcoder As long as you're not using an ancient, unsupported browser version, blocking the script won't break anything at all.
12:18 you can use the integrity attribute with a hash on your script tags to ensure that no-one can change the code under you. pairing that with some good CSP headers will go a long way to protecting your website against various kinds of script injection
That's the crazy part about it though. Polyfill is specifically designed to generate the js file for each user, so the integrity attribute can't be used.
@@crispybacon1999 yes, but for any other cases you can and should use it. and you could also change the polyfill code to make the JS code responsible for determining which version to use instead of the server doing it based on headers.
There is a kind of metaphor or analogy in security here, to "Progressive Enhancement" in frontend:
Teams want no dependencies that add security work.
Better to not use the thing that demands more security work unless you have to.
Solving the problems with larger vendor dependencies or the only the biggest open source dependencies.
But then how can things grow to become big in the first place?
Prime - “I am baffled, I am shocked that I have never thought about this type of attack.”
The entire security industry - *openly weeps into their 6th finger of bourbon*
“Get backdoored, baby! Let’s go!”
little bit baffled by all the shock. There has never been a moment in time when JS _wasnt_ full of supply chain attacks. It just depends (see what I did there) on which packages we pay attention to.
Use checksums to prevent any upstream modifications and setup CSP to load only what you „own“.
Correct, Subresource Integrity supported by 97.25% of all browsers in the wild.
Yes, please.
The problem is polyfill is dynamically generated based on your browser since that's the whole point of polyfill
@@firen777 they don't have a base script that loads the browser specific one ?
@@autohmae that leaves me thinking: is it really achievable?
The current polyfill implementation, as I understand it, is that the server serves you different versions of JS based on your user-agent. (i.e. returns nothing for a modern browser, but returns missing functions for old ones). Therefore, SRI won't work in this case.
If we REALLY wanna go for the "base script" approach so that we can have SRI check, then the base script will probably need to check all the possible UA inside the script, fetch the corresponding script as string, checksum the string as makeshift SRI, then eval the string (holy shit).
There are two things that (among others) you can do as a maintainer of a website to prevent this kind of attack from working: Using Subresource Integrity (SRI) and defining a Content Security Policy (CSP) either in html or in the http header. Sadly most websites don't use these features and browsers don't require these features to be used. I wish by default scripts wouldn't be loaded until the browser can verify its integrity and external resources wouldn't be loaded until they are defined in the CSP, but sadly this would break the entire web.
Had to personally fix 5 repos at work yesterday because of this. Probably dozens or hundreds more that others had to fix.
I just raised this at work as well. I'm not a security guy tho. If you don't mind explaining, what needs to be done?
June 28th, 2024 was the day that I learned maintaining open sauce js libs is a national security matter for my country
Should have been April 2nd, which is the xz exploit.
hahahhahaha I break on that part "I have only types definnition, how the hell I downloaded the whole Internet" hahahahhahaah
Yeah, hilarious. 😂
The pure joy of npm cascading dependencies 🤪
And the part when he says «Bro, as a hacker, you code sucks. Could we at least practice clean code if we're hacking ?» is brilliant haha.
7:13 what happened to eslint recently?
The fact that google is blocking certain elements in their ad network is hilarious. Acting like they properly vet any of the ads in their network. Cosplaying as an org that cares.
we want more german accent
Yah yah
@@Kane0123 Jawohl
That was a "certified American" moment
As a German I object.
@@black-snow Entschuldigung.
I've seen more deranged supply chain attacks, like Debian mirror being delisted from project for insertion of a backdoor in a package (all packages are signed by the project hence it was stupid).
I still remember when Linux Mint's ISO got compromised...
@@marioprawirosudiro7301that is not stupid. Because sign is checked when downloading from apt not when it’s just copying files from usb to pc.
@@pranavtaysheti7858 No, it's not stupid. But then again, I never said it was.
My reply was because OP's comment about "deranged supply chain attacks" and "Debian" reminded me of Mint's ISO case.
@@marioprawirosudiro7301 sorry I misinterpreted
@@pranavtaysheti7858 It's fine.
Anyway, back then the incident freaked me out so much because I was a Mint user at the time. This led me to a wild distro hopping, trying to find something good enough to replace Mint. Settled on elementary OS, though the way they "update" made me move again. Plus, I said "they", but it's really just a single person running the entire operation...
My Linux machine (an old laptop) is now on openSUSE (Tumbleweed, installed recently, like a week ago). Running pretty well, for a rolling release.
This has been a spam / malware vector for ages. Its what happened to multiple browser addons as well.
Supply chain attack is a known vulnerability and one of the most powerful
Technically fair, the best kind of fair
Open-source is good still, actually. Private corps can do the same shady functions or roll out vulnerabilities from early deployment, sometimes faulty, incomplete code, probably from using the Agile '$hamework'.
Moreover, IRS can identify these type of sales, or LOC on concessions of such projects to other parties, so that NSA can point in the direction of those beckoning for such investigative scrutiny. Don't freak out; it's all part of CW2.
This is why all dependencies should be vendored or embedded
Browsers should probably start blocking cross-site JavaScript… and should never have allowed it in the first place
But if you still want to use it, you can also just add a hash in the HTML of whatever you are linking.
You could easily publish a phishy minified script to npm after purchasing it and not push the real code to git. At this rate it's inevitable that we're going to see a severe long-running and wide reaching attack in the future.
Slack uses Node. And they probably upgrade their dependencies reasonably frequently. We're one crafty SOB away from basically all tech companies getting compromised.
That is, if it hasn't already happened.
That would break the vast majority of the internet.
This has nothing to do with cross-site javascript, its just a supply-chain attack because the developer didnt own the domain they were using
@@asmithdev2162 And anyone that self hosted a trusted copy of the library for their own use isn't affected by this glaring supply chain weakness.
This is fine. 🔥
11:00 But if they were benevolent then they would fairly straightforwardly agree to have you check their work. That's a win on all sides situation. Sure the original maintainers MIGHT not feel like they wanna stick to it, but if they wanted to, and the company declined, that would be a clear red flag.
I find it wild that clerk is somehow in your node modules like wtf 😮
If I have a nickel for every times a Chinese developer injects their backdoor into open-source projects, I would have five.
Which isn't a lot but it's really weird if you think about it.
I always despised modern js development. Forget trying to attack one site with xss, I’m just gonna buy a popular js library and inject js code to steal all the cookies, all the data, and issue malicious http requests on the user’s behalf for all users on all websites that include my js code in their html page.
good day mr. Jones!
What do you mean "this could totally just happen!"? The more difficult version of it already happened with SSH login failure, so ofcourse this to can happen.
The javascript tag should have the option to include a hash value that must be verified. Then you can lock version and use the CDN safely. So long as the CDN can't attack the hash, they cannot alter the contents of the script to be executed, yet they can still act as the infrastructure. This wouldn't require any kind of asymmetric signing scheme or anything. The javascript tag itself acts as the authority on the hash. The threat model here assumes that the HTML page containing the javascript tag can be trusted.
If the web were to implement this feature, older browsers will still be vulnerable, but ironically, a polyfill could solve that.
it does it called Subresource Integrity
Man, there is a very good sok paper on the taxonomy of Software Supply Chain attacks, its wild
There is a reason noscript exists.
Why would people use 3rd party libraries on CDN? Just to save a few bucks on bandwidth? Verify and package any 3rd party libraries yourself. Put dependencies under your control.
Klaus Schwab - WEF
J Blow has been warning us for years about this
This goes back much earlier than that. People like Stallman predicted this type of behavior back in the 90s. If you have a deep understanding of technology, a concept of how incompetent the average user is, and knowledge of the motivations of the people causing these types of disasters, then the natural extrapolation ends up being pretty accurate. Which is why we unfortunately have to say, yet again, Stallman was right.
I bring up Stallman, because it's still impressive for someone to be able to predict self-deleting digital media back in the 90s, when CDs barely existed. You have to be a genius, or insane (or both) to be able to realize that future was possible, and likely, given the status quo of the time. It's a lot less impressive to see Johnathan comment on these things, because he has the advantage to write software at a time when it's entirely technically possible to cause these supply chain attacks. Like, literally, if he had the money and the motivation, he could conduct that type of attack himself.
Given that we've had decades to see these problems, to fix them, and we're still failing in the most basic ways, I have little hope that the average software project avoids these security disasters. After all, it was only within the last decade that SQL injection, a solved problem, moved out of the OSWAP top 10. The average software developer doesn't understand or care about security, and when they do, usually it ends up being "deprioritized" by management, in lieu of more features.
And then people ask why it's hard to trust software made by Chinese companies
Insane
this is insane
If you know that guys are going to commit a fraud as a partner in crime, you can end up in a court. So, it's a pretty practical reason to think twice
tiaozhuan means redirect
i knew a jerry huang from school
Don't worry bro, every React library is safe from this, this is why we use npm packages for everything even if there's a browser api replacement.
Fck, just woke up and got an email from Google talking about this Polyfill in one of my old GCP project. I clicked it immediately without much thinking, if that email is fake and will start an exploitation I could be one of its victim. Never access links in email when you just woke up because you may not at the right mind at the moment.
it should be possible to define a hash for content that you expect to be the same, the browser should give an error if there is a mismatch
me, a h4ter of JS with literally ZERO node packages installed 😎😎
Web browsers should support CORS with content hashes so when you load scripts from a CDN you can add the hashes of the content you're expecting to get back, that way someone can't grab the CDN and replace the script there with something else later.
This could even be built into URLs: suppose you could just add something like :~:hash= to your URL, and then if you pull in from a CDN on a script tag the browser would load the content from the URL and then verify the hash of the content matches the hash provided in the URL before executing any content.
I lost faith in NPM dependencies after the left-pad incident back in 2016
This has nothing to do with npm. It's their cdn that was affected.
Polyfill doesn't use npm, and in fact, using npm would have actually avoided this issue since the JS that's loaded can't possibly change unless you update it to a newer version.
He said open source is screwed but this is the biggest case not only for corporate sponsorship but now also government subsidies of these foundational open source projects and of trusted maintainers
lol yeah how does this not apply to closed source software
How many Node modules I have on my system: NONE. That is the only correct number of Node modules to have on your system.
On the topic of buying open source, look at the people wanting to buy browser extension accounts, having that existing >100k downloads is huge for people.
9:14 Yep, also been offered lots of $ my github account, more so then for the OSS work I have done.
Did Prime stream get DDOS'd after this?
I'm surprised we haven't dealt with this already? Not sure if it's a fixable problem on web, needs immutable dependency references like some package managers do.
We kinda did. The package managers can generate immutable version references, but this wasn't an attack on the library code or the package manager. It was an attack on the CDN that hosted compromised versions of those safe packages. There's not really a good way to avoid that type of attack, as long as you don't host your own CDN.
Can't unpublish, but can you replace/update?
"We only need to purchase those who oppose us."
Holy Scheiße, this channel for vulnerabilities sounds extremely vulnerable (pun not intended) for misuse
07:29 🤣🤣🤣😂😂😂😂
Factory Functions?
And now my paranoia to not use libraries and packages isnt going away soon
wait what who uses sudo to install npm packages?!?!
Thanks for deleting my explanation YT
Seeing Intuit on that list is hilarious
Raw js rules.
1:42 anyone remember xz ? Practically the same here.
these state sponsored takeovers of open source projects are really getting scary.
Seems like visual page builders with a Google Maps widget use Polyfill, so potentially millions of websites?
Who puts sudo before npm? Are you new?
Kinda need to point out that various chatters with "web is wild I stay embedded" not really safe ether, unless they do use proprietary software and or their software is small nuff to know it completely, which is fair
held the website provider accountable when visiting the site for content they provide on their domain. imagine, now malware or phishing anymore.
bro reading you is HARD
@@Gregorius_ yeah, ive re-read my gibberish. its warm at my place.
Bro what r u saying @@lyth1um
Quick, grep your repos!
NIH gang
I ALWAYS insisted on hosting any library we use, just for the visibility.
And as such I hate minimized (read: obfuscated) .js files.
They are evil!
- $ they paid for, that’s a big L.
👀
Did he make the changes himself?
I don't understand. Weren't we all taught not to trust CDNs? I remember the senior programmer at that time that we should not trust code that we do not control.
2:47 that’s like mmorpg account trading, but for infosec… oof
Is it ok if I sell someone else's morals because I have none to sell?
So, CDNs are ruined forever?
Universities are subject to export controls for the technologies you can produce to stop technologies that might have dual use (such as heart pumps being used as fuel pumps for missiles). Nation-state attacks like this and XZ on individual devs will lead to government's cracking down on sales of technologies to countries like China. Expect open source to be subject to export controls in the future. If you're going to do open source in the future, get a lawyer.
Do not use CDN 🤷
LowLevelLearning just posted a video about this issue.
1:30 Klaus Schwab?
This is all over the place if you look
...agen
Using a third party cdn? This is on you
Funnull LLC made in USA
bro turning into xqc
intuit makes a very popular tax filing service in canada... I used it last month lol
Anyone who at this point still thinks that the CPC is playing nice is probably somewhere between mislead and stupid.
Please man.. extract those 10 sec where you say 'Bro as a hacker your code sucks! Can we at least practice clean if we are hacking? this will be viral 🤣🤣
Prime complaining about none-clean code of a hacking scriptkiddy, while destroying readability of his own projects by picking the wrong tool for the job.
JS scriptkiddies these days, fighting the wrong battles (No wonder incompetency is winning😛)
By picking the wrong tool do you mean requiring that types package?
bigboxSWE uploaded a new vid