Security Bits logo - a green padlock with the words Security Bits to the right and in tiny letters below ithat it says 10101010 indicating a digital lock

Security Bits – 2024-07-07

Feedback & Followups

Deep Dive 1 — Learning from the PolyFill CDN Fiasco

tl;dr — if you create websites or web apps, be careful where you load your JavaScript libraries from, you are implicitly entrusting the integrity of your site to those CDNs!

Summary of What Happened & The Immediate Fix

The best summary I have seen is the introduction to Qualsys’ detailed report:

The polyfill.js is a popular open-source library that supports older browsers. Thousands of sites embed it using the cdn[.]polyfill[.]io domain. In February 2024, a Chinese company (Funnull) bought the domain and the GitHub account. The company has modified Polyfill.js so malicious code would be inserted into websites that embedded scripts from cdn.polyfill[.]io. Any script adopted from cdn.polyfill[.]io would immediately download malicious code from the Chinese company’s site. Some of the known outcomes are:

  • user would be redirected to scam sites,
  • allows an attacker to steal sensitive data,
  • potentially perform code execution. 

Given that modern browsers do not require Polyfill, the original polyfill author recommends not to use Polyfill at all. All websites should remove any references to polyfill.io. Recommended alternatives are CDN, such as Cloudflare and Fastly.

As well as switching to trustworthy CDNs, Cloudflare also provide the option to have their service automatically replace all your polyfill.io links with their CDN, [as described on their blog](Automatically replacing polyfill.io links with Cloudflare’s mirror for a safer Internet — blog.cloudflare.com/…).

An interesting development is that security researchers now think this attack us just the latest in a series of smaller scale ones by the same group that dates back to 2023. This simply appears to have been their most high-profile attack so far.

The Backstory

For a long time there were a lot of obsolete browsers still in regular use, so developers had a choice:

  1. Only use features that are backwards compatible to a level appropriate for their site/company/app
  2. Work around the incompatibilities by simulating the missing features with features that are backwards compatible

Developers hate not using new tools they know work well, so a technique evolved to work around the missing features that became known as Polyfill. This is how Wikipedia describes it:

“In software development, a polyfill is code that implements a feature of the development environment that does not natively support the feature. Most often, it refers to JavaScript code that implements an HTML5 or CSS web standard, either an established standard (supported by some browsers) on older browsers, or a proposed standard (not supported by any browsers) on existing browsers. Polyfills are also used in PHP and Python.[1]en.wikipedia.org/…

Lots of open source polyfills appeared for all sorts of things, one of which was PolyFill JS. This was a legitimate open source project, but it never ran its own content delivery network. The library could be included into your website/web app using well trusted CDNs like JSDelivr, but a third-party utterly un-affiliated CDN emerged named polyfill.io. This was a legitimate CDN for many years.

Now, let’s get caught up to today — browsers are in a much better place now, so you just don’t need polyfills anymore. But, lots and lots of very old websites are still online, and many of them still load polyfills. Some are backed by legitimate CDNs, but many use polyfill.io. The problem is, there’s no legitimate need for polyfill.io anymore, so the domain got sold, and the new owners are not legitimate, they appear to be associated with the Chinese government, and malicious code was injected into the polyfill code they served.

A final interesting development is that it now appears the same group behind other recent CDN attacks are behind this latest one.

The Lesson to be Learned

While this particular attack was nipped in the bud quickly and seems not to have done any major damage, it teaches us an important lesson.

Choose your CDN with Care!

In Programming By Stealth we make heavy use of CDNs for importing libraries like jQuery and Bootstrap, but I have always been careful to only recommend trurstworthy CDNs. This story perfectly illustrates why, and, it makes me regret not being more explicit about that on those PBS segments all those years ago!

Links

❗ Action Alerts

  • Plugins on WordPress.org backdoored in supply chain attack — www.bleepingcomputer.com/… (If use use these plugins, patch or remove immediately!)
    • Social Warfare 4.4.6.4 to 4.4.7.1 (fixed in version 4.4.7.3)
    • Blaze Widget 2.2.5 to 2.5.2 (fixed in version 2.5.4)
    • Wrapper Link Element 1.0.2 to 1.0.3 (fixed in version 1.0.5)
    • Contact Form 7 Multi-Step Addon 1.0.4 to 1.0.5 (fixed in version 1.0.7)
    • Simply Show Hooks 1.2.1 to 1.2.2 (no fix available yet)
  • A critical remote code execution bug has been found in the popular OpenSSH SSH server used in many Linux Distributions — isc.sans.edu/…
    • Thankfully exploitation is not trivial, and it takes hours on 32-bit systems and appears to be effectively impossible on 64-bit systems
    • Not all distributions were affected, so many Linux servers don’t need the patch
    • If you have a Linux server, it’s worth making sure you’re fully patched!

Worthy Warnings

Notable News

Interesting Insights

Palate Cleansers

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top