malicious javascript injected into 100,000 websites
Рет қаралды 211,906
Күн бұрынA malicious CDN has been caught shipping javascript exploits on over 100,000 websites. This is truly one of the craziest attacks I've ever seen.
Issue: github.com/pol...
Writeup: lyra.horse/blo...
🏫 COURSES 🏫 Learn to code in C at lowlevel.academy
📰 NEWSLETTER 📰 Sign up for our newsletter at mailchi.mp/low...
🛒 GREAT BOOKS FOR THE LOWEST LEVEL🛒
Blue Fox: Arm Assembly Internals and Reverse Engineering: amzn.to/4394t87
Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation : amzn.to/3C1z4sk
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software : amzn.to/3C1daFy
The Ghidra Book: The Definitive Guide: amzn.to/3WC2Vkg
🔥🔥🔥 SOCIALS 🔥🔥🔥
Low Level Merch!: lowlevel.store/
Follow me on Twitter: / lowleveltweets
Follow me on Twitch: / lowlevellearning
Join me on Discord!: / discord
@LowLevel-TV 3 ай бұрын
javascript? NO THANKS. learn ASSEMBLY at lowlevel.academy (and get 20% off)
@Kane0123 3 ай бұрын
Yeah but I need something to run on the server though - I heard JS is the best for that
@LowLevel-TV 3 ай бұрын
@@Kane0123 🤔
@spythere 3 ай бұрын
Assembly? NO THANKS. Only self-made compilators running on TempleOS
@Songfugel 3 ай бұрын
@@Kane0123 😂
@Songfugel 3 ай бұрын
@@spythere a true man of culture right here, or there? 👍
@深夜-l9f 3 ай бұрын
when the child says googie : 🥰 when the hacker says googie : 💀
@NguyenTran-cx3uy 3 ай бұрын
true hackers say googIe (capital I)
@archytype.mp3 3 ай бұрын
@@NguyenTran-cx3uy you are so freaking epic !!! buddy !!!
@GyroCannon 3 ай бұрын
The example that I saw in class was Ρaypal, with the Greek rho character or the Cyrillic er character. They're super hard to pick out compared to i and l
@michagrill9432 3 ай бұрын
@@GyroCannonis there a way to change those in the font so theyre easily visible? 👀
@MECHANISMUS 3 ай бұрын
@@NguyenTran-cx3uy it may have gotten lowercased along the way
@kamkamkil1 3 ай бұрын
btw mozzila uses spider monkey not v8
@LowLevel-TV 3 ай бұрын
thank you
@se7ense7ense7ense7ense7en 3 ай бұрын
and webkit (safari) uses javascriptcore. only chromium uses v8
@cinderwolf32 3 ай бұрын
@@se7ense7ense7ense7ense7en and yet it's still most browsers!
@random_tnt 3 ай бұрын
@@se7ense7ense7ense7ense7en not only chromium, more like all of chromium based use v8
@NithinJune 3 ай бұрын
it’s called gecko not spider monkey ???
@saberint 3 ай бұрын
Another reason why we don’t use 3rd party libraries or cdn’s. you can’t secure what you don’t control
@taiteo558 3 ай бұрын
KISS- keep it simple, stupid. The more externalities you depend on the more likely it is to all break
@lolidkstudio 3 ай бұрын
i totally agree with the guy who commented “i just farted”
@LowLevel-TV 3 ай бұрын
same
@spythere 3 ай бұрын
A little too bit political to me but yeah, I agree
@MaxwellCatAlphonk 3 ай бұрын
He has the cat pfpf tho lol
@𰽚𰽚𰽚 3 ай бұрын
hell nah this comment section is becoming instagram
@Freshbott2 3 ай бұрын
@@𰽚𰽚𰽚mood
@RFelizardo 3 ай бұрын
While escaping the js runtime certainly is a possibility, especially if they're targetting old unpatched browsers, my mind with this sort of exploit immediately jumps to user data theft rather than RCE.
@LowLevel-TV 3 ай бұрын
Either that or throwing easy to replicate CVE's at old browsers, but I agree with what you're saying.
@zzco 3 ай бұрын
Lol, nope. Firefox don't use V8. Being the inventor of JavaScript, they use the engine they developed during Netscape's heyday. Mozilla has maintained it ever since. That is specific to Chromium-based browsers.
@LowLevel-TV 3 ай бұрын
ty
@Miha-hq4hd 3 ай бұрын
specific to chromium based browsers sounds like there's just a few of them. but right now i'm not sure there are any that don't use chromium. Firefox is one and not sure about safary or lynx. still this affects most of the browsers.
@EraAnibra 3 ай бұрын
@@Miha-hq4hd Safari also uses its own JavaScriptCore
@ficolas2 3 ай бұрын
Firefox can have sandbox scapes too. This is not specific to chromium based browsers. They could just as fine put a sandbox escape for any other browser there, if it exists and they know it.
@zerobash3425 3 ай бұрын
comes with up and downs... how good is the firefox sandboxing? like they arent using compressed pointers like v8 right?
@donleyp 3 ай бұрын
This is why I always host all the JavaScript for my sites internally.
@kensmith5694 3 ай бұрын
That is a good first step. Ideally, you also checked all that code to make sure no evil stuff is now being hosted by you.
@SamFlador 3 ай бұрын
Same, I keep it in my butt
@donleyp 3 ай бұрын
@@kensmith5694 yeah, that is the next steps. There are some good tools out there to scan for vulnerabilities. In most companies I’ve worked for we had a toolchain in the build process that was easy to integrate. For indie folks there are good plugins for the CI platforms out there.
@MrTweetyhack 2 ай бұрын
but you didn't create the js
@SteelyGlow 2 ай бұрын
@@MrTweetyhack When trees were small and computers were large, people wrote the scripts for their sites from scratch
@thennoth2860 3 ай бұрын
Polyfilling, as it says on the MDN page on the screen, is the name given to backporting features by rewriting them in compatible older JS, it doesn't refer to some specific library.
@Shneebly 3 ай бұрын
I am 100% confident that this code is NOT trying to escape the V8 sand box and exploit C++ bugs. First, that is extremely difficult to do at this point. Second, you do not need a supply chain attack to do that, you could just host that code on your own domain. A more likely scenario is that the goal is to capture data or authentication tokens on a target site. That (1) is way easier to do and (2) requires a supply chain attack to do, as you generally cannot capture data across domains. I.e. JavaScript in your website cannot steal data the user enters on their bank's website.
@meetfilipe_ 3 ай бұрын
Totally agree, I was also surprised how LowLevelLearning drops that connotation
@dominicbout 3 ай бұрын
6:26: "in V8's interpretation of C++" should be "in V8's interpretation of Javascript"
@youtubewzd2196 3 ай бұрын
10:15 Congrats to having a working digestive tract.
@newman77777 3 ай бұрын
lol
@Blinkerd00d 3 ай бұрын
I too, digest. lol
@unrealircdtutorials 3 ай бұрын
I opened the comments to find this comment hahaha
@Duconi 3 ай бұрын
Even if it's not an exploit to get out of the browser's sandbox. They would still have access to the website and all user data and their security tokens would get leaked to that company. And as even financial institutions used it, that's a big issue.
@tonyinv 3 ай бұрын
Nobody could have guessed that automatically using other people's code on your site could be dangerous 😂
@pogo55555 3 ай бұрын
LOL.
@unknownguywholovespizza 3 ай бұрын
Yes because of the blind trust
@mattstevens9324 3 ай бұрын
Yes, who could have predicted that "Trust me bro" would be desecrated like this?
@tcl78 3 ай бұрын
Just out of curiosity... did you write all the software that runs on your machine (or in your products if you are a developer)? Because most of us have to trust an unspecified number of strangers to have our stuff working and be commercially viable. Linux for instance is a huge dependency tree composed by code written by thousands of strangers without any guarantee of correctness, accuracy or even a simple promise that it will somewhat do what you expect it to do (and nothing else). I too despise having too many dependencies in my code, but if you want to deliver a product that works and looks good/okish you pretty much have to. Long are gone the times when users were ok with small software written in BASIC with a minimal UI composed of mostly bare text. So, what are we even talking about here?
@tongpoo8985 3 ай бұрын
Especially from a Chinese company, who could've predicted this? 😮
@eggflaw 3 ай бұрын
Watching half way through this it's already terrifying...
@CStoph1979 3 ай бұрын
35% of the planet is jabbed and asking for more is far more terrifying. This not so much.
@basiliotornado 3 ай бұрын
@@CStoph1979 Oh my god man do you push your agenda everywhere? 😭
@victorvsl 2 ай бұрын
I was recommended this channel by the algorithm - it's incredible how well it got to know me in the last 17 years since my account is technically active.
@codingneko 3 ай бұрын
Time to start downloading libraries instead of using CDNs
@LewisMoten 3 ай бұрын
Polyfill is still a thing, but it’s usually compiled with the code rather than a link to another website.
@Dj-An0n 2 ай бұрын
now im confident that i was never paranoid about polyfil but just beign realistic
@razt3757 3 ай бұрын
12:04 what is there to say about open source? Whenever an open source project comes out to have malicious code injected it's always the same story: "oh I really wonder if open source was a good idea, just saying you know. I wonder what this means for the future of open source". The only reason we found out about this and many previous vulnerabilities and the word got spread is because of open source and open source platforms like github. Would you have liked it better if polyfill were closed source and were just as popular? Without a community board or forum to discuss these things openly? You think Microsoft's proprietary IE js interpreter was any more resilient compared to the same era Chrome interpreter because it was closed source? No, ofc not and even Microsoft knows that now. What a naive way of looking at the world.
@Dratchev241 3 ай бұрын
Opensource wins every time. yeah bad shit sometimes get put in opensource code but it also gets noticed generally quickly. closed source stuff like microcrap who the fuck knows that they are doing and it wouldn't shock me one bit if some windows exploits from 20 years ago nobody but a select few know about are still in current versions.
@fulconandroadcone9488 3 ай бұрын
not to mention you can make a fork add a fix and be ready to go before maintainer sees you opened an issue
@m4rt_ 3 ай бұрын
My website has 0 JS. Just some CSS, HTML, and a custom built build script written in a low level language to build the static pages. (I have split the header and footer of the pages into template files because I couldn't be bothered to copy them into all the pages, and I don't want to update every page when I want to update the header or footer. So I wrote a program to do it for me.)
@dealloc 3 ай бұрын
Very s@m4rt_
@TheOriginalBlueKirby 2 ай бұрын
Lol it's called templates but nice try
@bugdeveloper 3 ай бұрын
JS and nodeJS are already notorious for memory issues
@codewarren 3 ай бұрын
I think it's funny that says "googie analytics" because he doesn't notice that the lowercase L in "anaiytics" has also been replaced
@fulconandroadcone9488 3 ай бұрын
wee need spell check for all text regardless wheatear or not it is in a text box.
@transcendtient 3 ай бұрын
People really need to learn to self host their dependencies.
@drakeomar1290 2 ай бұрын
I just found your channel! I love it haha and this year has been crazy!
@seasong7655 3 ай бұрын
I find it pretty astonishing, that anyone can upload something to pip, cargo, npm etc but the majority of packages don't seem to contain malware.
@angrydachshund 3 ай бұрын
Yeah well that's changing fast, now that repositories are the hot new attack vector. For that reason Foss is dead, they just don't realize it yet.
@PanosPitsi 3 ай бұрын
@@angrydachshundsmartest windows user 💀
@Otakutaru 3 ай бұрын
I'm extremely interested in the contents of the pastebin. Will you post your results?
@LowLevel-TV 3 ай бұрын
So after looking at it some more, it just redirects the browser to another website. However, there are some other JS files that are loaded that are now missing. I'm working on finding those. Could still be memory exploitation.
@Otakutaru 3 ай бұрын
@@LowLevel-TV by now, the payload would pretty much be impossible to find, until someone who had access to it publishes a security risk report
@ltxr9973 3 ай бұрын
I remember arguing about this like a decade ago, suggesting that it's better to host your js libraries yourself but people weren't really taking that issue seriously. The CDN saves traffic after all. Always hated that as someone who likes to host his own stuff but for a long time it really did seem like an aesthetic choice of mine disguised as a security issue. Nowadays it can backfire quite heavily but now we have so much old code that loads js from CDNs. Sometimes you have some old web application and nobody knows how it works anymore. But you have to maintain them, improve security and ideally get rid of the CDN stuff entirely. Seen many websites that (partly) solved the problem by just setting a CSP in their reverse proxy to block it rather than actually changing the code.
@anatolydyatlov963 3 ай бұрын
The script you mentioned essentially redirects mobile users to a malicious website (I won't provide the URL here). Interestingly, the redirect can happen at different hours of the day, with varying probabilities, for example, there's a 10% chance the you'll be redirected between 0-2AM, and 20% chance between between 4 - 7AM
@imjens.k 3 ай бұрын
I digest versus I digress
@velo1337 3 ай бұрын
its like the CVE google chrome tries to fix since months. Google Chrome prior to 126.0.6478.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
@youngchopsnare234 3 ай бұрын
MonkaS
@LegendaryNeurotoxin 2 ай бұрын
My brother pointed me towards this. Freakin' wild. @LowLevelLearning do you believe this is the sort of issue where ICANN should be asked to step in and intervene regarding polyfill and googie-anaiytics out of public safety?
@gawwad4073 3 ай бұрын
Web exploits don't even need to get past the sandbox. Often you can do more damage on the site your code gets loaded on than on the machine of the user. For example getting your code to run on a crypto site.
@Juan-sb5bb 3 ай бұрын
this is a lot to pack up
@DavidElmakias-h1l 2 ай бұрын
is there an update? what should you do if you use any of the effected websites?
@OsX86H3AvY 2 ай бұрын
i was warning my boss just after xz about how insidious supply chain attacks are and how we have more or less ceded control to our vendors and the response is like well we wont be liable and im like no but thats not my point, my point is our clients PII could be exfiltrated and sold ransomed whtever!!!! like, the bar for security shouldnt be "i'm not the one to blame!"
@mcduffchannel 3 ай бұрын
Isnt this essentially 'poisoning the well'
@futuza 3 ай бұрын
Isn't this why we use Subresource Integrity for supply chain security? So that if someone updates the CDN repo, you'll notice and go "hey! that doesn't match the sha256 signature". Granted if the original host gets compromised and also updates the integrity key along with the repo then many people probably won't notice either and I mean at that point...what do you do, except intensely and thoroughly code review every change made to every repo resource you use? Cause ain't nobody got time for that.
@neoqwerty 3 ай бұрын
Isn't that integrity subresource thing why my jQuery cross-origin script load in my html code needs that integrity attribute for? To stop the JS file from loading on my site if things stop matching? FFS jQuery fixed that security problem of "what if an outside domain swaps its file for a malicious one?" ages ago, didn't it?
@futuza 3 ай бұрын
@@neoqwerty I'm not sure what jQuery might've done to fix that in the past, as I'm not super familiar with the library, but cross-origin script load integrity attribute is now a part of just regular html5/javascript standard so you don't need jQuery to use it. But yes, that's what the integrity attribute is for.
@creticman312 3 ай бұрын
Isn't there a way to verify the hash of the Javascript? I'm quite sure I've seen it on the documentation.
@noone_ishere696 2 ай бұрын
I find this stuff very interesting. Could I really get into low level cyber security without a degree?
@eyoutubere 3 ай бұрын
While the exploit descriptions says "googie" is called, was the "i" actually capitalized in the javascript so it displayed as "googIe". A capital "i" (I) looks the same as lowercase "l" in some fonts.
@Granola-ld1by 3 ай бұрын
greatest CTA I've heard yet, yes i do want to hang out thank you for the invitation
@authenticallysuperficial9874 3 ай бұрын
Er when do you use a cdn without the code hash?
@ThienNguyen-bg1kx 3 ай бұрын
Given JavaScript ability to monkey patch globals, can the hacker just monkey patch commonly used object such as fetch to steal away the credentials?
@miltonthecat2240 3 ай бұрын
Off topic, but as an outsider it seems to me that >95% of the JavaScript is not written to enhance my browsing experience, and some healthy percentage of that is just downright annoying. But I'm one of the seemingly very few people who is willing to pay a few cents to access Internet content, sans advertisement and any JavaScript, that took effort to create, if there were a way to do that "on-the-fly" without subscriptions, although I would subscribe to an Internet version of a reader's digest web site that parceled out my subscription fees to the creators who's content I accessed. If you calculate advertising revenue, you realize that you are, in effect, working for a tiny fraction of poverty level wages watching ads.
@stephenroy4144 3 ай бұрын
America is cooked when it comes to the cyber domain..
@jamesmorrison9893 3 ай бұрын
Great video as always thanks for sharing!
@LiamNajor 3 ай бұрын
So me making my stuff like a lunatic has some perks. I do it myself out of necessity, because all of my stuff is fully functiomal client side.
@neoqwerty 3 ай бұрын
Lunatic coding is great until you don't comment what something is for, name it after a joke, and you forget how that joke is related to what it does and then have to reverse engineer your madness when you decide to overhaul.
@Eichro 3 ай бұрын
Polyfills should still be useful, when you consider that even if you're using a modern browser, you might be using an older version of a browser (for example if you're stuck in an OS no longer supported). Another case is when you're trying to use bleeding edge features which are still in adoption phase by the vendors.
@neoqwerty 3 ай бұрын
Counterargument: If you're using experimental features, you should consider NOT doing that. If you still insist on using an experimental feature, then check the user-agent and provide an older fallback for it. Most competent web devs aim to make their site at least fully functional without javascript at all. JS is bells and whistles on top, or SHOULD BE. This is enshittification at work.
@fullstacklarry 2 ай бұрын
When he said the Chinese, I knew It was a wrap...
@multiwebinc 3 ай бұрын
Instead of trying to jailbreak the Javascript sandbox, this would much more likely be used to steal login credentials or credit card numbers.
@RandomGeometryDashStuff 3 ай бұрын
05:59 firefox uses spidermonkey
@RadioactiveBlueberry 3 ай бұрын
So basically V8 should now be written in Rust?
@BradleySmith1985 3 ай бұрын
One reason why I feel you should download the code package and add it to your own site rather than rely on an external URL. also review all code you add to your site.
@claverbarreto5588 2 ай бұрын
And remember mates, the death rate in any other Planet, other than Earth is 0%, and also there is NO JAVASCRIPT in those Planets, coincidence? Don't think so, mate.
@Thumper68 3 ай бұрын
Polyfill we use in car subwoofer enclosures😂
@pogo55555 3 ай бұрын
"But, I digest?" Instead of "digress". Uh... Is there some pun or joke or clever artifice I am missing here.
@Kane0123 3 ай бұрын
I believe it’s “but, I ingress”
@pogo55555 3 ай бұрын
@@Kane0123 But what does that mean? It’s supposed to be “I digress”.
@BobbyFlayCooking 3 ай бұрын
I believe it’s “but, I regress”
@knullndull 3 ай бұрын
but, I Pinterest
@Kane0123 3 ай бұрын
And when I’m done, egress..
@NaR00W 3 ай бұрын
"This sounds google translated from mandarin" -> "But I digest" xDDD
@HDConcussionz 3 ай бұрын
10:15 "But I digest" Yo dawg it's "but I digress" if no one ever told you haha.
@velo1337 3 ай бұрын
50 mil sweet, you not even gonna get the real estate required for a global cdn
@TechnicalHeavenSM 3 ай бұрын
Truly insane
@darknetworld 3 ай бұрын
Wow how could this happen easy for javascript and there should be patch for leaking. As well the site host.
@adarshsingh87 3 ай бұрын
This comment section hurts my brain. If you don't know how web works you don't need to comment lies.
@Aqrelon 3 ай бұрын
Ok, so the attack happened, now the question is what average Joe should do about it. From what I understand, basically anyone browsing internet in last 2-3 weeks could have compromised device and no one seems to talk about what average user should do
@k1m1 3 ай бұрын
Welcome in artisan world !
@Kiyuja 3 ай бұрын
dont know whether this translates to the JS interpreter, but I am very certain Mozilla swapped out a lot of stuff under the hood in favor of Rust on Firefox (makes sense, its their language). But maybe the interpreter is still affected idk.
@mechantl0up 3 ай бұрын
Firefox does not use the V8 engine but Mozilla’s own JS engine. It is a bit slower than V8 on cold paths, but OK performance wise if you write sensible JS. On a hot path, once the engine has compiled the executed JS to machine code for future runs, all JS engines are fast.
@nonamebutgame 2 ай бұрын
Firefox uses spider monkey not v8
@robsands6656 3 ай бұрын
Never understood why anyone uses cdn
@jerrygao1495 3 ай бұрын
why not using ipfs sha256 hash for loading script?
@daniels-mo9ol 3 ай бұрын
Every project that uses NPM is basically a security problem too. Like setup a basic project and you already have a billion dependencies nobody knows what they do.
@wemusthavechannelstocommen619 3 ай бұрын
using a web browser scripting language for anything else... using it for serverside programs ... using an especially retarded web browser scripting language for serverside programs......... ALSO, I just KNEW hosting a couple of small files instead of linking cdns was safer.
@Rudxain 3 ай бұрын
The worst thing is, this also happens outside of NPM too. `sudo apt install nodejs npm` on Debian pulls ~300 dependencies, most of which match "node-*"
@yufgyug3735 3 ай бұрын
makes me think of 'kik' npm debacle
@BeefIngot 3 ай бұрын
Seriously. React takes many minutes to download just because of all the random dependencies and their dependancies and their dependancies dependancies. Its dependancy diarrhea and I dont think anything has it as bad as JavaScript, and I think its just because of the batteries not included nature of node. You need to find little modules to do everything and this causes dependency hell for the simplest libraries.
@phoneywheeze 3 ай бұрын
@@BeefIngot that's why I prefer compilers like Svelte. No cdn or dependencies, just serving pure HTML/CSS/JS to the browser. Always wondered what would happen to react websites if meta's CDN is down
@edhelatar 3 ай бұрын
Web dev here. Although V8 hack is possible, I am almost certainly sure this code is actually intended to still user sessions, user input or any other security tokens etc. It's especially useful if you get admin session or credentials on things like wordpress, as from that you can hack the server and use it as a bot farm for DDOS or hoping that wp will give you access to other systems.
@LowLevel-TV 3 ай бұрын
ah interesting. thank you!
@namansharma6561 3 ай бұрын
LinusTechTips got hacked using these session exploits only
@tripplefives1402 3 ай бұрын
In many ways hijacking sessions is a more severe problem than RCE.
@dealloc 3 ай бұрын
And this is why you don't store session tokens in localStorage, or non-HttpOnly cookies, folks. Fortunately Wordpress sends session with HTTPOnly cookie, so they wouldn't be affected unless the user of that WP instance uses a plugin that happens to bypass this security feature.
@ankur-dhama 3 ай бұрын
JS hosted from some other domain (like a cdn) cannot read the HTTP only cookies of other domain page (which is including the cdn js) so stealing sessions is not possible in such a case. This malicious code can do other things like opening a popup or overlay and show a google login page etc to fool users into giving up their credentials.
@jonbikaku6133 3 ай бұрын
Firefox uses gecko not V8, its their own engine and one of the main reasons we need it alive. V8 is however, really optimized at this point.
@gljames24 3 ай бұрын
Also with Firefox Quantum added in, but we need Servo as a modular replacement to Gecko so it can actually compete with chromium/electron.
@Rudxain 3 ай бұрын
IIRC, Chromium uses Blink (Webkit based) as rendering engine, and V8 for JS. Firefox uses Gecko and Spider-Monkey respectively
@trenwar 3 ай бұрын
@@nonamenolastname8501 lmao yes google is their biggest funder
@Bvngee 3 ай бұрын
@@nonamenolastname8501 it actually literally is. Look for videos on the latest Mozilla finance report… google is (iirc) like over 2/3 of their funding rn - billions just to be the default search engine. Depressing but true
@stapuft 3 ай бұрын
Ff is still around, because its the best browser that exists. Its faster than ch4ome, uses less memory, is less vulnerable to exploits, et cetera.
@MrVecheater 3 ай бұрын
The web is the only place where it's generally accepted to run 100k lines of code* to render text Disclaimer: If you're reading this as a smart expert: I'm talking about application code. We have abstractions for a reason 🙂
@B0wser998 3 ай бұрын
This comment took 252k lines of code to render and it's still running in the background, doing post-rendering tasks. 👍
@chipmo 3 ай бұрын
You think it takes less than 100k loc to open your terminal app? This is a popular, lazy, incoherent take. It's not an issue with code size as much as it is with trust and sourcing.
@MrVecheater 3 ай бұрын
@@B0wser998 gotta need to emulate the CPU instructions in the background
@MrVecheater 3 ай бұрын
@@chipmo that's not application code. Let's not remove the browser, js and css engine from the equation if you really want to change topics PS: your browser adds a terminal on top
@lobotomy-victim 3 ай бұрын
text rendering is generally a very complicated task
@creysoft 3 ай бұрын
The code is pretty easily de-obfuscated. All it does is attempt to redirect you to other (probably malicious) websites. It has a few interesting features, like its own custom base64 decoder, its own implementation of RC4, and some code to check if you have an admin cookie set (probably so it won't redirect the developer.) But it's definitely not some kind of memory exploit.
@LowLevel-TV 3 ай бұрын
Yeah I realize that now. Another issue is those sites you’re redirect to could also be doing the memory exploity stuff. My bad on that
@someoneunknown6894 3 ай бұрын
@@LowLevel-TVwouldn't it be a waste of resources, even from a state-sponsored attacker, to burn a V8 0 day on some random people who used their cdn? I would imagine that if you had such an exploit you could do much more than just that
@afroninjadeluxe 3 ай бұрын
Didnt the XZ exploit contain base64 decoder and encryption implementations too?
@TheLordNemesis 3 ай бұрын
There are also attacks on browsers that don't need a vulnerability in the JS engine. One could for example: - mine crypto currency - attack other hosts (ddos) - collect user data (phishing) - record user interactions - crash or modify websites Which, considering how many applications are web based nowadays, is already really bad.
@test-rj2vl 3 ай бұрын
@@LowLevel-TV Releasing memory exploit to the public like that wouldn't make sense because as the time goes on the harder it gets to find new ones. More likely just going to direct users to some phishing site. Memory exploits are probably reserved for high value targets to avoid getting them patched.
@klausgrnbk6862 3 ай бұрын
If you are including scripts from a CDN, you should always use the integrity="sha..." attribute. The feature has been supported by browsers for around 5+ years, and protects you from supply chain attacks, as the browser will refuse to load the script if the checksum does not match.
@joloco72 3 ай бұрын
@@klausgrnbk6862 That wouldn't work with this Polyfill service, as it's not a static file. It sends back the polyfills that the browser requesting the URL needs. So for most modern browsers it will return nothing. For older browsers, it returns whatever polyfills that particular browser needs.
@hintswen3632 2 ай бұрын
@@klausgrnbk6862 thanks for this. I've never heard of this attribute before and will start using it in the future.
@brysonthor 2 ай бұрын
@@klausgrnbk6862 is there a perf hit with this?
@deshtechno 14 күн бұрын
And also CSP header that can be easily setup to refuse to connect to any googie-woogie domain names
@tubero911 3 ай бұрын
“But I digest” is such a great eggcorn.
@jjptech 3 ай бұрын
That is why the guy down in the comments farted
@davecgriffith 3 ай бұрын
TIL about eggcorns. Neat!
@chri-k 3 ай бұрын
lol.
@SnowDaemon 3 ай бұрын
@@davecgriffith TIL what TIL means. Neat!
@Kane0123 3 ай бұрын
Will he call himself Ed or LowLevelLearning… place your bets!
@unknownsofa 3 ай бұрын
Both! 0:55
@LowLevel-TV 3 ай бұрын
I'm gonna start messing with you guys... get ready. "hey ed this is lowlevel videos where I cyber about security!"
@ProtossOP 3 ай бұрын
@@LowLevel-TV you can start using random names each video if you really wanna mess with people, Bob.
@unknownsofa 3 ай бұрын
@@LowLevel-TV, Please do! That would be perfect!
@Kane0123 3 ай бұрын
@@ProtossOPthat a genius move… Lester
@supperEisMan 3 ай бұрын
Thats why you pack all the js your website depends on on your own host and never update ;)
@BeefIngot 3 ай бұрын
I feel like we need a better middle ground between that and this always update state where no one can possibly keep up with the changes in their dependencies.
@balala7567 3 ай бұрын
@@BeefIngot stable updates in the style of debian?
@kensmith5694 3 ай бұрын
Better yet don't use so much javascript and write all that you need. 99.999999% of what people do with JS didn't need to be done.
@dealloc 3 ай бұрын
@@BeefIngot Yeah, a form of "code splitting". I think the name suits my idea pretty well; it splits the code into individual chunks that can then be cached individually. You could even group different dependencies together, e.g. if those dependencies also have shared dependencies. Would be cool. But alas, I think it would be really hard for anyone to do and will likely not happen in the next 10 years.
@fulconandroadcone9488 3 ай бұрын
@@dealloc code splitting is very much a thing and not that hard to do, look up webpack chunks and React.Lazy, it comes out of the box
@dr.robertnick9599 3 ай бұрын
That "..., showcasing the true power of capital." line sounds like it comes from Senator Armstrong in Metal Gear Rising. "We are making the mother of all omlettes. Can't fret over every egg."
@ckorp666 3 ай бұрын
its such a heavy-handed bond villain line, wish we could get more honesty like that tbh
@thesenamesaretaken 3 ай бұрын
Strong "This isn't even my final form" vibes
@jm-alan 3 ай бұрын
And people are still confused as to why I "waste" so much time developing tools from scratch for my medical data company's web app
@Kawka1122 3 ай бұрын
I just got from work, made enormous shit and I feel good
@kaspisw 3 ай бұрын
Well done.
@tongpoo8985 3 ай бұрын
😎
@RusticKey 3 ай бұрын
Proud of you, son.
@PhilippBlum 3 ай бұрын
The reason why Chrome sets the standard is simple. Chrome has a monopoly.
@BeefIngot 3 ай бұрын
And they are really pushing the limits of this with manifest v3. Its the most clear example of why the conflict of interest with an ads and telemetry company dominating how the internet is browsed is bad for the world.
@PhilippBlum 3 ай бұрын
@@BeefIngot Ohh I never said that's a good thing or anything.
@BeefIngot 3 ай бұрын
@@PhilippBlum Oh no, I didnt think you were. I was just adding my own thoughts.
@pixelfairy 3 ай бұрын
Ironically the ability to simply disable js per site is what got me to switch to chrome before they nerfed malware blockers. Noscript is cumbersome.
@specy_ 3 ай бұрын
i mean, that's what happens when you offer a better engine than the competition
@amynagtegaal6941 3 ай бұрын
V8 is part of blink (Chromium's web engine) and a fork of JavaScript-core (which is safari's JavaScript engine) Firefox uses SpiderMonkey which is part of Gecko (Firefox's Web engine)
@AJenbo 3 ай бұрын
JavaScript-core is a fork of KJS which was part of the KDE desktop project.
@animezia 3 ай бұрын
everything is a fork of some other thing
@WindsorMason 3 ай бұрын
@@animezia and forks are part of forknife
@v.reagan 3 ай бұрын
forknife mentioned 🗣🗣🗣
@gg-gn3re 3 ай бұрын
@@AJenbo that is where the entirety of webkit originated, not just javascriptcore. KDE project birthed webkit and javascript core and then which blink came from. KDE are the heroes of the modern web world
@chipmo 3 ай бұрын
I feel a real level of vindication right now given how I went to lengths to avoid the practice of loading chunks of JS from third party domains that so many of my colleagues would happily partake in. Admittedly I don't feel great about NPM either.
@MrTweetyhack 2 ай бұрын
oh no. so now you're going to write everything yourself and not include other's js
@jsrodman 3 ай бұрын
I'll say that as an engineer (not a security researcher), I've always worried about supply chain vulnerabilities, partly because my peers clearly didn't give a crap about it. You don't even have to be security paranoid to be concerned. When every build is a roll of the dice for what gets included with "modern practices", you cannot even control for which external bugs you're shipping. But when you start to take practical steps to limit the exposure, vetting updates and locking versions, storing external dependencies locally in a verifiable way, etc, the powers at your company will always push back that this is non-essential work, and try to get you to focus on pushing out the latest feature tweak because some customer that will never even use that feature is trying to establish dominance over some sales rep.
@Juksemakeren 3 ай бұрын
why is there no space after the comma on your shirt?
@LowLevel-TV 3 ай бұрын
i hate grammer 😤
@mrrobotman5299 3 ай бұрын
He writes in C, whitespace doesn't matter
@TheKastellan 3 ай бұрын
I have to.... *grammar
@Kane0123 3 ай бұрын
It was removed at compile time.
@CupidGaming522 3 ай бұрын
I lowkey want like a 2 hour malware analysis video on that obfustaced pastebin code
@LagMasterSam 3 ай бұрын
Web development is such a shit show. This kind of stuff happens all the time because people assume cdns and random code are safe to use. It's so dumb.
@fulconandroadcone9488 3 ай бұрын
cdns are used so client can use same js file on multiple sites, less download means faster load time
@velorama-tkkn 3 ай бұрын
Even more than that, this questions client side code execution in general, sandbox or not. Which was always an insane proposition to begin with, let's be real. Everyone tells you to not open email attachments from random sources, but our browesrs JS sandbox gets bombarded by potential malicious code from random sources constantly.
@user-to7ds6sc3p 3 ай бұрын
What exaclty should be the alternative? Using a remote Desktop like protocol to transfer Video from the server and User input to the server? This will be way to expensive for hosters, use way more bandwith, cost more ressources for clients, require high bandwith, etc. We *need* client side code execution, there is currently no feasible way around it. A possibility could be a JS Engine thats writen in a memory safe Language. That would probably be Rust since speed is essential here. Mozilla does have a Rust implementation of spidermonkey but Firefox seems to use the c++ implementation.
@velorama-tkkn 3 ай бұрын
@@user-to7ds6sc3p if you absolutely need code execution client side, supply an application that the user needs to install explicitely and that doesn't sideload code from domains you don't control.
@Tantewillieja 3 ай бұрын
It's not only system takeover but also simple things like listening to all user input like user names and passwords
@SoloLegends 3 ай бұрын
Maybe someday people will finally figure out that trusting other sources to deliver their libraries to clients is a bad thing.. maybe.
@fulconandroadcone9488 3 ай бұрын
if user already has that filed downloaded it speeds up page load times, there is a very good reason why people do it this way
@SoloLegends 3 ай бұрын
@@fulconandroadcone9488 I know why people do it, but with the many issues this can raise. I don't see the value outweighing the downsides.
@bikeybikebike 3 ай бұрын
They should be using SRI. Some people say that wouldn’t work for polyfill, but in general that’s the way to make shared CDN usage safer.
@endlesslyabusedpowerended 3 ай бұрын
This is actually why I don't buy into the modern dev cycle of dependency management... yeah I'm a dinosaur... 1) don't use dependencies 2) if you do bake them and review them yourself and basically don't EVER update them. Sure it COULD be dangerously outdated; but it COULD be way safer too... You say dependency; I say attack vector...
@thejoe7682 3 ай бұрын
You mean std::vector
@sourandbitter3062 3 ай бұрын
I wish it was possible but I don't think you can build a medium or large website today without a framework, you need change detection.
@uhrguhrguhrg 3 ай бұрын
@@sourandbitter3062 there are plenty of relatively tiny frameworks with no dependencies, consider smth like preact (which is basically react, but tiny and with no deps)
@eltreum1 3 ай бұрын
@@sourandbitter3062 Thats BS. The problem is no one really wants to pay the technical debt of 100% rolling their own implementations and the dev market is flooded with coders who can't do anything without a framework and IDE IntelliSense helping them. Vulnerabilities and breaches have exploded with the reliance of FOSS.
@dealloc 3 ай бұрын
You say attack vector, I say business opportunity
@improvisedchaos8904 3 ай бұрын
I was up entirely too late last night redoing comments in code, turning them into ascii art. Now im running on 4hrs of sleep on a 12hr shift at a factory job, and my code looks like it belongs in an 80s videogame according to my wife.
@acters124 3 ай бұрын
having a wife who recognizes 80s videogames is hot
@Nelo390 3 ай бұрын
@@acters124fr, lucky man.
@trenwar 3 ай бұрын
@@acters124he won in life frfr
@MechMK1 3 ай бұрын
By the way, the usage of SRI would have prevented this entire situation. The website owners are to blame for not protecting end users.
@dealloc 3 ай бұрын
It can't though given that the entire point of the polyfill service was that it reads your UA and generates appropriate script by including only the necessary polyfills needed for that UA. Anytime that changes, you break the integrity.
@MechMK1 3 ай бұрын
@@dealloc Hmm...good point.
@p5eudo883 3 ай бұрын
And this is exactly why NoScript is worth the hassle.
@colonthree 3 ай бұрын
I started returning to 6502 Assembly recently, thanks to digging up the old book from 1983 in my storage. ;w;
@eljuano28 3 ай бұрын
It's an older code, but it checks out.
@alemd1714 3 ай бұрын
As soon as you said "Chinese" I already knew what's up
@Necessarius 3 ай бұрын
They keep saying that PHP is insecure, but in reality, it was due to inexperienced programmers, and obviously, there were flaws that got fixed. But in JavaScript, being so popular, the same thing starts to happen. Many new programmers and people who don't even know the basics make the system insecure. And if you add to that the belief that learning JS is just using the framework and it's secure by default... we're heading in the wrong direction.
@rusi6219 3 ай бұрын
All my homies enable noscript
@Bunny99s 3 ай бұрын
One of the reasons why I was never in favour of CDNs. I understand that larger sites can actually off load some amount of traffic that way, however just the fact that you integrate code from a third party that could change at any time without you noticing always was my biggest concern. Apart from the analytics they get. In the project's I worked in we most of the time put an actual copy on our machine. Versioning has to be handled by us the developers anyways. Often times you can not simply load the most recent version of a library because it may not be backwards compatible. So you usually load a specific older version anyways.
@bjorn1761 3 ай бұрын
@@Bunny99s back in around 2010/2011 when html5 really took of I beleive people used the CDN construct so that the client browser would retrieve the js library from cache more, and thus loading new websites/domains more quickly, as opposed to receiving it for every website/domein.
@dealloc 3 ай бұрын
@@bjorn1761 Yes, this was one of the main reasons CDNs took off and a huge benefit both for users and for sites. But unfortunately it also made it trivial to track users through the browser caching. Already by 2013, WebKit had already changed the caching strategy and removed resource-caching across sites and domains to prevent this. Chrome followed along in 2020 since v86 and Firefox v85 in 2021. Though, that doesn't mean CDNs are useless; CDNs still take a huge load off the server and more importantly, can host the content globally and deliver it closest to the end-user-there are always tradeoffs when it comes to choosing where and how to host content.
@fulconandroadcone9488 3 ай бұрын
@@bjorn1761 not just JS, CSS and icons too. with react this nocks, what, 300kb right on the start if user already visited page that pull react from cdn
@saricden 3 ай бұрын
@LowLevelLearning please read article I posted in my other comment. I think yarn is also an issue which is a BIG deal in web dev.
Low Level
Рет қаралды 783 М.
Street Race Solutions
Рет қаралды 2,7 МЛН
Low Level
Рет қаралды 877 М.