javascript? NO THANKS. learn ASSEMBLY at lowlevel.academy (and get 20% off)

btw mozzila uses spider monkey not v8

Every project that uses NPM is basically a security problem too. Like setup a basic project and you already have a billion dependencies nobody knows what they do.

Web dev here. Although V8 hack is possible, I am almost certainly sure this code is actually intended to still user sessions, user input or any other security tokens etc. It's especially useful if you get admin session or credentials on things like wordpress, as from that you can hack the server and use it as a bot farm for DDOS or hoping that wp will give you access to other systems.

The web is the only place where it's generally accepted to run 100k lines of code* to render text Disclaimer: If you're reading this as a smart expert: I'm talking about application code. We have abstractions for a reason 🙂

If you are including scripts from a CDN, you should always use the integrity="sha..." attribute. The feature has been supported by browsers for around 5+ years, and protects you from supply chain attacks, as the browser will refuse to load the script if the checksum does not match.

The code is pretty easily de-obfuscated. All it does is attempt to redirect you to other (probably malicious) websites. It has a few interesting features, like its own custom base64 decoder, its own implementation of RC4, and some code to check if you have an admin cookie set (probably so it won't redirect the developer.) But it's definitely not some kind of memory exploit.

Firefox uses gecko not V8, its their own engine and one of the main reasons we need it alive. V8 is however, really optimized at this point.

when the child says googie : 🥰 when the hacker says googie : 💀

Lol, nope. Firefox don't use V8. Being the inventor of JavaScript, they use the engine they developed during Netscape's heyday. Mozilla has maintained it ever since. That is specific to Chromium-based browsers.

And people are still confused as to why I "waste" so much time developing tools from scratch for my medical data company's web app

Another reason why we don’t use 3rd party libraries or cdn’s. you can’t secure what you don’t control

I feel a real level of vindication right now given how I went to lengths to avoid the practice of loading chunks of JS from third party domains that so many of my colleagues would happily partake in. Admittedly I don't feel great about NPM either.

“But I digest” is such a great eggcorn.

I am 100% confident that this code is NOT trying to escape the V8 sand box and exploit C++ bugs. First, that is extremely difficult to do at this point. Second, you do not need a supply chain attack to do that, you could just host that code on your own domain. A more likely scenario is that the goal is to capture data or authentication tokens on a target site. That (1) is way easier to do and (2) requires a supply chain attack to do, as you generally cannot capture data across domains. I.e. JavaScript in your website cannot steal data the user enters on their bank's website.

That "..., showcasing the true power of capital." line sounds like it comes from Senator Armstrong in Metal Gear Rising. "We are making the mother of all omlettes. Can't fret over every egg."

While escaping the js runtime certainly is a possibility, especially if they're targetting old unpatched browsers, my mind with this sort of exploit immediately jumps to user data theft rather than RCE.

I'll say that as an engineer (not a security researcher), I've always worried about supply chain vulnerabilities, partly because my peers clearly didn't give a crap about it. You don't even have to be security paranoid to be concerned. When every build is a roll of the dice for what gets included with "modern practices", you cannot even control for which external bugs you're shipping. But when you start to take practical steps to limit the exposure, vetting updates and locking versions, storing external dependencies locally in a verifiable way, etc, the powers at your company will always push back that this is non-essential work, and try to get you to focus on pushing out the latest feature tweak because some customer that will never even use that feature is trying to establish dominance over some sales rep.

V8 is part of blink (Chromium's web engine) and a fork of JavaScript-core (which is safari's JavaScript engine) Firefox uses SpiderMonkey which is part of Gecko (Firefox's Web engine)

i totally agree with the guy who commented “i just farted”

Polyfilling, as it says on the MDN page on the screen, is the name given to backporting features by rewriting them in compatible older JS, it doesn't refer to some specific library.

10:15 Congrats to having a working digestive tract.

6:26: "in V8's interpretation of C++" should be "in V8's interpretation of Javascript"

Thats why you pack all the js your website depends on on your own host and never update ;)

It's not only system takeover but also simple things like listening to all user input like user names and passwords

This is why I always host all the JavaScript for my sites internally.

Will he call himself Ed or LowLevelLearning… place your bets!

Even if it's not an exploit to get out of the browser's sandbox. They would still have access to the website and all user data and their security tokens would get leaked to that company. And as even financial institutions used it, that's a big issue.

I just got from work, made enormous shit and I feel good

Even more than that, this questions client side code execution in general, sandbox or not. Which was always an insane proposition to begin with, let's be real. Everyone tells you to not open email attachments from random sources, but our browesrs JS sandbox gets bombarded by potential malicious code from random sources constantly.

Ed the only youtuber who wants you to stay not for the content, but to hang out. Our goat.

I lowkey want like a 2 hour malware analysis video on that obfustaced pastebin code

Watching half way through this it's already terrifying...

And remember mates, the death rate in any other Planet, other than Earth is 0%, and also there is NO JAVASCRIPT in those Planets, coincidence? Don't think so, mate.

The reason why Chrome sets the standard is simple. Chrome has a monopoly.

This is actually why I don't buy into the modern dev cycle of dependency management... yeah I'm a dinosaur... 1) don't use dependencies 2) if you do bake them and review them yourself and basically don't EVER update them. Sure it COULD be dangerously outdated; but it COULD be way safer too... You say dependency; I say attack vector...

By the way, the usage of SRI would have prevented this entire situation. The website owners are to blame for not protecting end users.

I was recommended this channel by the algorithm - it's incredible how well it got to know me in the last 17 years since my account is technically active.

I've used polyfill, but I never put an external library link like that, unless it's one of those google libraries that are dynamically versioned for either Analytics or Maps. My philosophy has been to bundle or re-host as much as we can, because we don't want the page to get stuck loading from a third-party server. So whatever polyfills I've used are from the official npm registry.

One of the reasons why I was never in favour of CDNs. I understand that larger sites can actually off load some amount of traffic that way, however just the fact that you integrate code from a third party that could change at any time without you noticing always was my biggest concern. Apart from the analytics they get. In the project's I worked in we most of the time put an actual copy on our machine. Versioning has to be handled by us the developers anyways. Often times you can not simply load the most recent version of a library because it may not be backwards compatible. So you usually load a specific older version anyways.

Maybe someday people will finally figure out that trusting other sources to deliver their libraries to clients is a bad thing.. maybe.

They keep saying that PHP is insecure, but in reality, it was due to inexperienced programmers, and obviously, there were flaws that got fixed. But in JavaScript, being so popular, the same thing starts to happen. Many new programmers and people who don't even know the basics make the system insecure. And if you add to that the belief that learning JS is just using the framework and it's secure by default... we're heading in the wrong direction.

Web development is such a shit show. This kind of stuff happens all the time because people assume cdns and random code are safe to use. It's so dumb.

why is there no space after the comma on your shirt?

12:04 what is there to say about open source? Whenever an open source project comes out to have malicious code injected it's always the same story: "oh I really wonder if open source was a good idea, just saying you know. I wonder what this means for the future of open source". The only reason we found out about this and many previous vulnerabilities and the word got spread is because of open source and open source platforms like github. Would you have liked it better if polyfill were closed source and were just as popular? Without a community board or forum to discuss these things openly? You think Microsoft's proprietary IE js interpreter was any more resilient compared to the same era Chrome interpreter because it was closed source? No, ofc not and even Microsoft knows that now. What a naive way of looking at the world.

Nobody could have guessed that automatically using other people's code on your site could be dangerous 😂

a V8 sandbox escape is a huge thing even without any compromised CDN. A malicious CDN could steal credentials and it's basically a limited botnet.

Polyfill is still a thing, but it’s usually compiled with the code rather than a link to another website.

That is one of the reasons Javascript was critisized since it existed. Besides the bloat it creats on websites.

In software companies I have worked we always download all dependencies and ship them with our software and one of the reasons is that if it gets changed or removed then we would would still continue delivering original dependency with no interruptions.

I was up entirely too late last night redoing comments in code, turning them into ascii art. Now im running on 4hrs of sleep on a 12hr shift at a factory job, and my code looks like it belongs in an 80s videogame according to my wife.

Time to start downloading libraries instead of using CDNs

At least it should shine a spotlight on the integrity attribute everyone should be using.

I just found your channel! I love it haha and this year has been crazy!

I very much doubt such a massive supply chain exploit will also include a browser memory exploit. Browser memory exploits are to hack into your computer from the browser, but these can be served from any malicious site. With this supply chain exploit, or allows the JS code to become part of the website, so it can also read whatever is on the site: username and password fields upon login, user profiles, private content, contacts,... There's just no need to include a costly browser hack into this to do damage.

Awesome analysis! Thanks for sharing.

Just something to add polyfills are not only used to work with old browsers. Pretty often when a new api will be released in the future (like new date library in javascript) there will be a polyfill for this to use and try it out in a browser which does not have the functionality for it as its not released yet.

11:04 ooo, Rebane. That's a name I recognize. Not from normal development stuff, but from Minecraft. They are a 2b2t player.

And this is exactly why NoScript is worth the hassle.

I just remember my fronted classes and the automated “warnings & vulnerabilities check” tool always panicking about some obscure dependency which our very nice and professional teacher told us we could ignore for the purposes of all school exercises.

As soon as you said "Chinese" I already knew what's up

This is why Subresource Integrity checking is a thing.

I get more and moure contious on the dependencies my projects use. And really welcome libraries that have no runtime dependencies. As that stops the infite grpah traversal.

Regardless of browser engine exploitation, malicious actors can use this to steal credentials entered on the web page, exfil cookies for use in a plethora of attacks like CSRF, and a number of other activities. I haven’t analyzed it myself yet, but this is pretty serious nonetheless.

been waiting for this

@LowLevelLearning please read article I posted in my other comment. I think yarn is also an issue which is a BIG deal in web dev.

This is why I use NoScript and only allow scripts from domains that I need for websites to work. Of course this doesn't fully prevent an attack however it does limit the attack surface and it also would prevent a connection that fake GA domain in the event that I loaded the modified JS file. I've been using NoScript for over a decade and strongly recommend it.

greatest CTA I've heard yet, yes i do want to hang out thank you for the invitation

I started returning to 6502 Assembly recently, thanks to digging up the old book from 1983 in my storage. ;w;

You right. I pay attention to it though. Supply chain attacks are devastating. This one particularly is of great interest.

this is why you use "integrity" to specify the checksum of a remote script loaded from a cdn

In the beginning we just wrote our own code for everything. There was no internet, no downloading, no using other people's code. And when your code worked, it stayed working, no updates that were indistinguishable from remote hacking.

So this only affects websites that use polyfill via cdn? Most webapps should use it as a node-module, which makes it safe?

The script you mentioned essentially redirects mobile users to a malicious website (I won't provide the URL here). Interestingly, the redirect can happen at different hours of the day, with varying probabilities, for example, there's a 10% chance the you'll be redirected between 0-2AM, and 20% chance between between 4 - 7AM

My website has 0 JS. Just some CSS, HTML, and a custom built build script written in a low level language to build the static pages. (I have split the header and footer of the pages into template files because I couldn't be bothered to copy them into all the pages, and I don't want to update every page when I want to update the header or footer. So I wrote a program to do it for me.)

I find it pretty astonishing, that anyone can upload something to pip, cargo, npm etc but the majority of packages don't seem to contain malware.

I remember arguing about this like a decade ago, suggesting that it's better to host your js libraries yourself but people weren't really taking that issue seriously. The CDN saves traffic after all. Always hated that as someone who likes to host his own stuff but for a long time it really did seem like an aesthetic choice of mine disguised as a security issue. Nowadays it can backfire quite heavily but now we have so much old code that loads js from CDNs. Sometimes you have some old web application and nobody knows how it works anymore. But you have to maintain them, improve security and ideally get rid of the CDN stuff entirely. Seen many websites that (partly) solved the problem by just setting a CSP in their reverse proxy to block it rather than actually changing the code.

There is one simple truth we must all recognize -- you cannot trust the security of anything you don't host (and didn't create) yourself. You can control what you host yourself. Everything else is risk management.

JS and nodeJS are already notorious for memory issues

I think it's funny that says "googie analytics" because he doesn't notice that the lowercase L in "anaiytics" has also been replaced

now im confident that i was never paranoid about polyfil but just beign realistic

Even in the audio world: "Code they use that they didn't write themselves." Approximately 80-90% of all plugin software is based on JUCE framework, which is by Tracktion Software. It is rare to come across plugins built totally in-house. Well, not rare, but the odds of any random plugin you choose, to be in-house, is low.

When I started my coding career(JS), I had this idea where I would be writing all of the code myself, because I had bad experience with dependencies from other parts of my life. Then I met CDN, libraries and frameworks and I changed my mind. I completely gave up on my idea when I saw node modules folder. This video makes my original idea more attractive. I guess the line has to be drawn somewhere.

There seems to be a lot of people saying "don't use JavaScript" in KZbin comments 🤨

CEO's in the near future: It's not our fault, our AI workforce chose the malicious CDN.

Absolutely insane. Companies are pretty cavalier about cybersecurity in their products. Bad sign.

maybe a why/reasoning about the weird googie 'typo' would have helped. if you replace the lowercase i with its uppercase counterpart in an url it looks just like an el not raising suspicion. urls are case insensitive, at least the hostnames are, not the path neceserlily

Great video as always thanks for sharing!

0:11 open source is not a supply chain, as open source devs are not payed by the corporation who abuse their work. It's more like a racoon scraping trash cans to find food

Just FYI, Firefox doesn't use V8 as its JS engine, it uses SpiderMonkey. Spidermonkey compiles JS to an intermediary language which is interpreted, whereas V8 compiles JS directly to machine code.

Do script, link or href tags have some kind of checksum attribute ? If yes, does it help preventing this kind of attack ?

Javascript + data collection causes a vulnerability, and water is wet

People really need to learn to self host their dependencies.

Can web browsers just have a collection of JavaScript libraries by default? I know there are extensions like LocalCDN and Decentaleyes, but it's a bit silly and redundant to have like 5 copies of a javascript library (with the chance of a library being poisoned) because different websites chose different CDNs.

The seller who sold out to the company in China should *NOT* be given a free pass.

Note that you do not need shell code execution to do a lot of harm with this injection. The code injected can take arbitrary actions on the website it was injected in as the user of that website, steal cookies, etc. if that’s all this exploit was aimed at, then that’s already scary enough.

Just in case anyone needed yet another reason for ad-blockers.

The correct way to write software: Vet every library you use and host it yourself. Anything else is an automatic red flag.

There is no supply chain in Open Source software. The idea of a "supply chain" implies a contractual relationship between supplier and user, and there is none.

Sansec has already analyzed some sample and it doesn't look like a 0day, just heavily obfuscated code with protections