Working in one of the largest bank of Australia. I told my manager about this polyfill thing he was still not convinced after your tweet . Now sharing this video to him. Reason being i am having 2 yrs if experience while he is industry for last 15 yrs.

New idea for an ad blocker: Injecting Polyfill script tags into site

"Isn't NPM the same? There are a million who-knows-whats in my module directory. It took 30 minutes just to delete dependencies that depend on dependencies, a million times over.

15:45 the reason they didn't pin it to a specific hash is the most dangerous thing about pollyfill, it changes based on user agent. Each user may be served a different js file, so you can't pin the script to a specific hash. They give full control of what may be PAYMENT PAGES to a script that randomly changes BY DESIGN! Don't embed things like pollyfill, even if you don't have evidence of it being compromised.

Damn. I had no idea. Terrifying knowing how when repos like Polyfill are bought by different companies, they can do what they please with what they own, whether for the good or not. In most cases, the company that takes over has good intentions, but in the case of Polyfill, it's clear that this wasn't the case.

To be fair: even before Chrome, Firefox had already put significant pressure on Internet Explorer, Safari and Opera to embrace standards (although to be really fair, IE was the only real problem child). Chrome was just doing what Firefox already started but with the leverage of better UX and more marketshare. I am glad they killed the old web.

Using non-checksumable external libraries is a terrible idea? Who would have thought!

Moral of the story: self-host everything, don’t rely on anything external. Even for something as harmless and innocuous as a CDN like JSDelivr, there are implications. What if JSDelivr is down the day your site goes viral, to name one example?

I would expect the Cloudflare status page to be running outside of their CDN infrastructure to keep it available during outages so it isn't entirely surprising that they came up with an easy way to avoid the issue and forgot to apply it to that separate part of their systems. It should definitely be on a bunch of checklists now though so that nobody will forget about it for a while.

Its wild that they got the github repo too? Like idk that seems weird.

And this is why I never deploy production code that calls a third-party CDN. If you're doing that, you are trusting that third party to send you the script you're expecting every time someone loads the page. But they absolutely could send you literally whatever they want instead.

You passed over nintendo in that list, holy f u c k

I love how the thing says JSTOR is being affected by the polyfill hack and you're like "cool, let me go open that right now".

6:15 I love the TOS going "Oopsies, we may give you a virus, we cant know for sure!!,1!! Plz check urself for any viruses we may or may not have put on your website!!!111!,"

Many of such supply chain attacks are often avoided by using a specific, static version of an NPM dependency. But I guess, in this case, the theoretical use case for that "tool" didn't allow for that too much.

I was visiting few sites last month and i was being redirected to a betting site. I thought I clicked some ad 😮

It’s crucial that you use the integrity attribute with a hash of the JS code on all your external script tags to protect against attacks like this! You still need to verify the safety whenever you add or update any external dependencies, but at least this prevents malicious third parties from changing the code under you.

Where does Theo gets his shirts? They look terrific

SRI integrity hashes should be used when loading all external scripts.

6:20 are they suggesting developers to embed an antivirus on their website?

The way I snickered when you @'d hulu.... that is rich lol

so as a new new dev I'd been wondering for a while about the security of CDNs and cross-site linking which, back in the day was almost exclusively an attack method, that I keep being instructed to use. Is the benefit of not serving a 20kb css or js file yourself really worth it?

For the cloud flare status page, I'm assuming they can't serve that page using their caching/rewriting layer - if there's a problem with the core service and the status page is proxied by it, nobody would be able to view the status.

What? You mean just tossing in the cdn script isn't the best idea?!?!?!

Using polyfill and other libs like unpkg and jsdelivr has always been really distasteful to me. Literally bundling arbitrary code that can be swapped out during prod. Of course there are mitigations, but just bake in the libraries you need into your own application...

Malicious companies do the same thing with browser extensions. They give the original team a ridiculous amount of money to buy the extension, then sever malware through it.

well, this is the second attack of such scale on open source community from chinese and affiliated parties

I can't believe these huge sites are using dynamic content delivery like that. I know its a thing but for like an actual production site it seems insane to just be like "yeah go get whatever javascript comes from this link". Nuts not to pin a version and send it from your own server...

The only good thing about this is that it could have been much much worse and gone undetected for even longer.

I think a more secure method of using third-party scripts would be to first redirect them to a "center-point," which is essentially a file on your website that serves as an import for the scripts. You can then link that file to all of your pages instead of directly linking to the script. This way, if you notice any security breaches, you can simply remove or replace the single import file rather than spending a lot of time changing it on every page.

Scary stuff. I wonder if this is what took down Tesco online shopping recently.

CDNs are fine, as long as you use the integrity attribute in your tag (at least for now...)

I thought it was obvious to NOT load scripts from external sites for security reasons, guess I was wrong.

Never remote load a resources where you don't solely own the remote host. If you need to use a remote resource, download it, and upload it to your own CDN. You must, must, verify the libraries you use.

Crap like this is why I run the NoScript browser add-on and only selectively allow JS to run on my browsers.

I still have to leave before I get an aneurysm...

This is why the script tag has an integrity attribute if you are smart enough to know how to use it.

that’s why i host my own CDN.

I struggle watching content where the person is just reading lines from an article. It's like the most lazy form of content generation ever. This entire video could have been summed up in 60 seconds or less.

Whenever I run "npm install" my heart skips like 10 beats. You could pull malware at any given time and let's be honest it's almost impossible to know.

This is why I have made sure to not use any external/cloud resources. It is nuts.. to run code that you don't control.

Me watching this with Hulu paused on the side: 👁👄👁

Making websites work in IE7 is very important ... imagine the revenue and wisdom this demographic has to offer!

We should just copy the script and put it in our own repository.

cant imagine big framework just suddenly gone and those config dont work

This is why I don't use polyfill, this is why I block polyfill via no-script... But seriously, a lot of web developers need to learn IE9 does not exist anymore.

Simply put, once one adds a tag to a 3rd party , it has full control over that website Since Javascript can modify everything with DOM manipulation and by Overriding/Overloading Event Listeners One may use 3rd party scripts to speed up development, local copies of said script if possible. Then, later on, drop those dependencies one by one. If not, they will eventually turn into vulnerabilities that create security and service issues.

Don't name your project/library something that would be a valid web domain. Especially not if you don't even own said web domain.

If i throw the polyfill url into my adblocker I should be fine right? like if my client refuses to fetch it, then surely I am protected? Too bad Chrome Manifest V3 is going to kill this functionality

This is why I include scripts in my web app and run an integrity check on it, even if its locally loaded.

Chat GPT is using this Library. I tweeted at them please complain to to them too.

This is terrifying… I guess I know the first thing I’ll do at work today (check if we have it even if I think we don’t)

one of the reasons I import the libs i wanna use and bundle them. never sat right with me to use cdn for my sites functionality

this just feels like xz again. random thing everybody uses but nobody cares abt or pays attention to gets compromised, chaos ensues.

Could it be that Cloudflare Status was explicitly not using the Cloudflare-hosted library, so that it is still available during Cloudflare's downtime?

I always thought that using scripts from an external source was a bad idea. if you want to use the script, host it yourself. At least then you can scan the code and pin yourself to a specific version

This is really alarming….

That is why we need to do everything locally without linking to libraries, but those script kiddies never learned the lesson until something serious happened to them in personal level.

rule #0 of importing 3rd party libraries: download a snapshot and use your own distribution rather than the 3rd party link. sure, I still sometimes use jquery. but I downloaded the source that worked when I wrote it. breaking changes and security risks avoided

Shouldn’t browsers block polyfill domain at that print?

What is amazing is that this wasn't a sophisticated attack, and they didn't even try to stay hidden. Just imagine the possible damage if these attackers were competent and not basically SEO trolls. Still convinced that this is just a symptom of an issue affecting all of JS(and a lot of other programming languages as well): Small, useless libraries, and package/dependency managers. People don't even realize when they 100x the size of the trusted compute base.

Ive always thought running turing complete code in browser was a mistake. Can you imagine going back though? I gladly would, but it aint gonna happen. Itd be the death or upheaval of entire industries. In my mind, itd be worth it. I mean, we might lose social media, and a lot of addictive algorithms. Oh the humanity.

Couldn't you use something like a Pi-hole to block all traffic to the Polyfill website on your network to protect yourself? I think you could do this with the hostfile too, but you would need to do that on every device.

4:18 Oh no... how terrible.... Oh no. That one's probably a useful feature. "Academic research", my ass.

Thats why i allways self host this scripts

ad networks put js on your site that comes from whoever has paid enough for a designated consumer profile.

Can confirm they are still using polyfill

The ability of a website to load a script from anything it does not directly control was always going to get us into trouble. Just look at how many 3rd parties are accessed by a typical website. It's insane... and web developers and frameworks that encourage this model are at fault. Unfortunately fixing the problem is going to be very hard. Unscrupulous ad companies are even starting to force websites to add cname records so their scripts can "appear" to come from the first party! The only solution here is to make things much stricter: - Restrict script tags such that they must be served *from the same IP* as the primary page. No exceptions. No DNS bypasses. *SAME ORIGIN BY IP* or your script is blocked. - The HTML must embed a hash of the script it is going to load, and that hash must match or the script will be blocked. - If a website communicates with a 3rd party domain, each individual domain will be presented to the user in a list to be approved. Will this break a *ton* of sites? Yes. Do they deserve it? Absolutely yes. Is this proposal practical? Of course not, but anyone who is honest about the state of the internet will agree that what we're doing now can't continue.

This is a great example of why I block all JavaScript by default. I only enable what I actually use. This literally can't affect me.

But what does this do to the end user?

This is why you should never embed an external package, ever. Instead, if you need the script for what you are doing, host it yourself.

Same shit happened with Faker for PHP, if you generate in image, the domain changed owner.

The real question is who is the person that sold it to this Chinese company?

People that include resources from servers they don't own in their websites actually don't deserve better. No mercy! I the EU it's actually forbidden by law unless you explicitly mention that in a disclaimer AND the visitor of the website has actively opted-in because you also send the website's visitor's IP to that third-party server.

Wait, a dude created a service, and all of a sudden he's not the owner? I understand it was most likely a group effort, albeit that should be noted in the repo for such cases where a threat actor could obtain a github account and the domain. This just seems like a weird way to go about this.

I'm not seeing this get asked anywhere, so maybe my ignorance is showing. If the URLs where the scripts are being loaded from are the domain in question, and the polyfil project people say they never owned the domain nor were responsible for it's sale - How was it even being used to source files from? How would the A record -> IP address link work if they didn't have ownership of the domain in the first place? And if it were never owned by them, why use a domain they didn't own, in their scripts?

I've been saying this for years but nobody cares. This is the same with pretty much all popular programming languages. Unless every package is carefully vetted, which it isn't

Should've rewritten it in rust.... wait, the service is already written in rust. Doesn't that mean rust is insecure? /j

question, why are we not able to have checksum hashes on script tags?

Cloudflare's polyfill is unfortunately slow. Fastly's hosted version is a lot faster. And with Cloudflare's latest nightmare PR I'd probably steer clear of them.

Could this also affect React Native mobile apps, through dynamic code loading?

Privacy, anonimity are all just a facade. I'm pretty sure everything is compromised to some extent atleast

I always think about astro neovim downloading 200 dependencies from random repos at my machine 😅

Why those guy are doimg everything to violate the worlds privacy? I swear most of the times they are behind those

"Trustworthy alternatives" Lists two US companies. Yeahhh... I wouldn't call any company that can be court ordered to spy on me trustworthy.

Not to offend you but do you ever get comments that you look like Jerry Attricks from Scott the Woz in your thumbnails

One tag to rule them all

Sorry for offtop, but I can't find it anywhere - what operating system is Theo using here? I only found that he uses Windows 10, but it's a post from last year, and it doesn't really look alike win10 xd

okay, but heres a question.. you say these sites pointed to the cdn polyfill domain but if this domain DIDNT exist before, why did they add the domain to their page?

wait this was a month ago? are all of the sites still compromised?

its probably too late already and they got a bunch of info.

Morale of the story... If you actually care about open source, and the internet don't sell off your dead project to a chinese developer

just imagine if this ever happen to cURL 😅

It looks like they're mainly trying to get ad revenue.

Not a dev, is there a way to filter out from the html any that loads polyfill, before the page is read and rendered?

What about those third party sites as well fake google analytics name? and the free host paste pin for codes.... I feel sad...

You went to the network tab instead of just 'view source' ?

The original domain appears to be down?

no script + ytdl. will adding polifill to firewall help?

@0:21, That's rapid7.