malicious javascript injected into 100,000 websites
Summary
TLDRThe video discusses a critical supply chain attack known as 'Polyfill' or 'Poly Kill', affecting over 100,000 websites. It delves into how the polyfill.io library, essential for modern JavaScript compatibility in older browsers, was compromised by a Chinese company. The attack involved injecting obfuscated code into the library, potentially exploiting browser vulnerabilities to execute malicious code on users' computers. The video raises concerns about the security of widely-used software components and the implications for the future of open-source and third-party code reliance.
Takeaways
- 🔒 Supply chain security is often overlooked, yet vulnerabilities can have widespread impacts across the internet.
- 🌐 The 'polyfill' or 'poly kill' attack affected over 100,000 websites and is an ongoing issue.
- 🛠️ Polyfilling is a technique used to enable modern JavaScript features in older browsers, ensuring compatibility.
- 📚 CDNs or Content Delivery Networks are relied upon to host and serve code for websites, making them a potential point of exploitation.
- 🚫 A vulnerability in the polyfill library was posted on GitHub and suspiciously removed, raising concerns about its nature.
- 🏢 The polyfill.io domain was acquired by a Chinese company, which has been serving a compromised version of the polyfill library.
- 🤔 The compromised polyfill included obfuscated code that redirected to a fake 'Googy analytics', a variant of the legitimate Google Analytics.
- 🛑 The JavaScript served from the compromised CDN may contain browser exploits designed to escape the V8 sandbox and execute malicious code.
- 🔮 Browser exploits take advantage of vulnerabilities in JavaScript engines, like V8, to perform memory corruption and gain unauthorized access.
- 🗣️ There is ongoing speculation and investigation into the exact nature and purpose of the JavaScript code served by the compromised CDN.
- 📡 The acquisition of the polyfill.io domain and the subsequent serving of potentially malicious JavaScript raises questions about the security of open-source and third-party code dependencies.
Q & A
What is the primary focus of the video script?
-The primary focus of the video script is on supply chain security, specifically discussing a supply chain attack called polyfill or poly kill that affected over 100,000 websites.
Why is supply chain security often overlooked?
-Supply chain security is often overlooked because people tend to trust the origin of their software and run it without much scrutiny, not realizing that supply chain vulnerabilities can have widespread impacts.
What is polyfill, and why was it significant in older browsers?
-Polyfill is a library used to inject modern JavaScript features into older browsers that do not support them, ensuring that all browsers have a consistent level of functionality.
How did the polyfill attack occur?
-The polyfill attack occurred when a Chinese company acquired the polyfill.io domain and injected obfuscated, malicious JavaScript code into the polyfill library, which then got executed on users' browsers.
What is V8, and why is it important in this context?
-V8 is an open-source, high-performance JavaScript and WebAssembly engine written in C++. It is important because it interprets and runs JavaScript code in the browser, and vulnerabilities in V8 can be exploited to gain control over the user's computer.
Why did the issue with polyfill raise suspicions when a vulnerability was reported?
-Suspicion arose because a reported vulnerability in the polyfill library was immediately deleted off GitHub, and the domain had been recently acquired by a Chinese company, which later served malicious code through the library.
What role do CDNs (Content Delivery Networks) play in this attack?
-CDNs host JavaScript code for websites to pull down and execute. In this attack, the compromised polyfill library was served through a CDN, which allowed the malicious code to be widely distributed to many websites.
What is Googy analytics, and how was it used in this attack?
-Googy analytics is a spoofed version of Google Analytics, used in the attack to deceive users and deliver malicious JavaScript code that could exploit browsers.
What does the obfuscated JavaScript code in the polyfill attack do?
-The obfuscated JavaScript code in the polyfill attack was designed to load malicious scripts, potentially leading to memory corruption vulnerabilities and allowing attackers to gain execution on the remote host computer.
Why is the polyfill attack considered particularly dangerous?
-The polyfill attack is considered dangerous because it can affect hundreds of thousands of websites, allowing attackers to exploit browsers on a massive scale without requiring users to download or install anything manually.
Outlines
🔒 Supply Chain Security and the Polyfill Attack
This paragraph discusses the critical yet often overlooked issue of supply chain security, particularly focusing on a supply chain attack known as 'polyfill' or 'poly kill' that affected over 100,000 websites. The speaker, with over 10 years of experience in offensive security, introduces the topic by highlighting the widespread nature of supply chain vulnerabilities and their potential to impact the entire internet. The attack in question involved a library called 'polyfill,' which was used to ensure modern JavaScript functionality across older browsers. The polyfill library was hosted on a website called 'polyfill.io,' which was later acquired by a Chinese company. This acquisition led to the insertion of obfuscated code into the library, which, when loaded, would reach out to a disguised 'Googy analytics' instead of the legitimate 'Google analytics,' potentially serving as a vector for browser exploits. The speaker emphasizes the gravity of the situation and the need for greater awareness of supply chain security.
🕵️♂️ The Polyfill.io Incident: Browser Exploitation and CDN Issues
The second paragraph delves deeper into the technical aspects of the polyfill.io incident, explaining the role of JavaScript engines like V8 in browser security. The speaker clarifies that V8, an open-source JavaScript engine written in C++, is susceptible to memory corruption vulnerabilities, which can be exploited through JavaScript to escape the sandbox and execute code on the user's machine. The paragraph describes how the polyfill.io domain, under new ownership, may have served malicious JavaScript through a compromised CDN, potentially affecting hundreds of thousands of websites that relied on it. The speaker also touches on the company's attempts to cover their tracks, including disputes with Cloudflare over the unauthorized use of their name and the company's defiant stance on Twitter. This section underscores the complexity and severity of supply chain attacks in the context of web security.
🌐 The Future of Supply Chain Security and Open Source Integrity
The final paragraph wraps up the discussion by reflecting on the implications of the polyfill.io incident for supply chain security and the integrity of open-source software. The speaker expresses concern over the increasing frequency of attacks on widely used libraries and the potential consequences for software that relies on third-party code. Mentioning previous incidents like the SolarWinds attack and the XZ backdoor, the speaker raises questions about the future of trust in open-source projects and the responsibility of developers and users to ensure the security of the software supply chain. The paragraph concludes with a recommendation for those interested in learning more about browser exploitation and a call to action for viewers to engage with the content by liking, subscribing, and exploring related videos on the channel.
Mindmap
Keywords
💡Supply Chain Security
💡Polyfill
💡Vulnerability
💡CDN (Content Delivery Network)
💡Obfuscated Code
💡Browser Exploits
💡V8
💡Malicious CDN
💡Memory Corruption
💡Capture the Flag (CTF)
💡Sandbox
Highlights
Supply chain security is a critical yet often overlooked aspect of cybersecurity.
Supply chain vulnerabilities can affect the entire internet due to widespread software usage.
The 'polyfill' or 'poly kill' attack impacted over 100,000 websites and is still being addressed.
Polyfilling is a technique to enable modern JavaScript features in older browsers.
CDNs host and serve code, a common practice in web development.
A potential vulnerability in the polyfill library was posted and quickly removed from GitHub, raising suspicions.
The polyfill.io domain was acquired by a Chinese company, leading to concerns about the integrity of the served library.
The compromised polyfill library included obfuscated code that potentially exploited browser vulnerabilities.
The attack involved serving a modified version of Google Analytics ('Googy analytics') through the compromised CDN.
Browser exploits can take advantage of JavaScript engine vulnerabilities to escape sandboxing and execute malicious code.
The polyfill.io incident suggests a mass exploitation campaign affecting many websites.
Cloudflare denied giving authorization to polyfill.io to use their name, indicating a potential misrepresentation.
The company behind polyfill.io has shown resistance to addressing the concerns raised by Cloudflare.
The speaker recommends following experts in browser exploitation for deeper insights into such security issues.
The video discusses the broader implications for supply chain security, including the SolarWinds and XZ backdoor incidents.
The speaker encourages viewers to explore the topic further and watch related videos for more information.
Transcripts
supply chain security is an interesting
topic of security research the reason
being a lot of people don't pay a lot of
attention to it you kind of just trust
where your software comes from and run
it without a ton of issue but the
problem with this is that supply chain
vulnerabilities are so widespread that
when an attack happens they typically
affect the entire internet like hundreds
of thousands of places because of how
widespread the software that we all use
is in this video we're talking about a
supply chain attack that affected over
100,000 weap sites and is still actively
being worked out right now the attack is
called polyfill or now referred to as
poly kill and in this video we'll go
into kind of the nature of what polyfill
was the way that supply chain attacks
typically work out how this supply chain
attack in particular worked out and how
browser exploits happen now I've been in
the offensive security the security
research Community for over 10 years and
this is hands down one of the craziest
exploits that I've seen now if you're
new here hi my name is Ed this is Ol
learning a channel where I make videos
about software security cyber security
and a bunch of other stuff so if you
like that or just want to hang out hit
that sub button I really appreciate it
now all of the supply chain issue boils
down to this Library called polyfill and
it was hosted at one point on this
website called polyfill.io now if you
don't know what poly filling is I didn't
until recently I'm not a web guy poly
filling is a way that back in the day we
were able to use modern JavaScript on
Old browsers right so there were
browsers like ie7 and older versions of
Firefox that really didn't have like a
lot of support for modern JavaScript
features and there is this Library
called polyfill that you're able to use
to effectively inject the features into
the browser so that the browsers were
all at the same level now as my buddy
Theo indicated I didn't realize this
when Chrome came about Chrome kind of
set the bar for the Baseline JavaScript
requirements uh for browser so polyfill
is really no longer required but a lot
of websites still depend on it and like
any website typically when you write
JavaScript you don't write the
JavaScript yourself you don't write all
the code you depend on these things
called cdns or content delivery networks
and what they do is they host the code
for you so you can just go pull them
down when you go to the website and even
right now when I go to mdn web docs if I
go to my network Tab and hit refresh
you'll probably see that I'm downloading
a ton of other JavaScript files that are
used to run this website right so it's
not entirely uncommon that this happens
now the issue is that recently and but
recently it was actually about a month
ago there is an issue where somebody
posted a potential vulnerability in the
poil library and it was immediately
deleted off of GitHub very suspicious so
people are trying to figure out okay why
was this deleted it turns out that the
polyfill.io domain that was not
originally owned or maintained by the
Pol library maintainer was acquired by a
Chinese company now what they did is
extremely interesting so again just like
any other JavaScript website what you'll
do is if you want to depend on the poly
full Library you will just literally put
a remote script Source link into your
code to pull out this JavaScript right
so the compromise URL is this Library
here and actually I think name sheep the
owner of the polyfill.io domain does not
serve this IP address right now so
you'll see the CDN doesn't work but so
what happens is that you go and pull
down this library and that code gets put
into your browser and gives you the
features of polyfill which again is just
meant to make sure that you and all the
other browsers are on the same Baseline
of functionality so that all in
JavaScript works well what's pretty
insane is again company bought this no
inherent issue with that but when you go
and check out or checked out before they
pulled this all down the version of
polyfill that this website was serving
versus other CDN like cloudflare for
example a bunch of OB fiscated code was
put into the library there were all of
these obfuscated functions with random
prototypes and and variables that
effectively would go out and reach out
to not Google analytics Googy analytics
and they would pull down G a .js which
if this were actually Google analytics
it would look like the JavaScript page
that a lot of sites depend on to do
tracking of users when they're going to
websites you want to see how long the
browse time was what their clickthrough
rate was on certain elements all that
stuff all this can be done through
Google analytics so if you look at this
quick enough you're like what those
aren't L's those are I's so Googy
analytics gets injected into the
polyfill.io polyfill CDN So eventually
what happens is they have all this obis
skated code someone did the work of kind
of reverse engineering what this
actually does when poly. min.js gets put
into your browser on certain devices
polyfill.io will load up Googy analytics
ga.js they've pulled down this piece of
JavaScript but what it actually ended up
being was this paste bin here which is a
very another heavily OB fiscated piece
of JavaScript code very interesting so
the question is what does this piece of
JavaScript code do what is happening
here this is where I think a lot of
speculation is still around there hasn't
been a ton of reverse engineering work
I'm actively working on taking this
apart right now to figure out what it
actually is but I have a couple
inclinations just on my experience in
the security world and reading articles
about browser exploitation right so the
question kind of becomes why is it bad
if an arbitrary user runs JavaScript in
your browser right like who cares
there's nothing inherently wrong with
that the idea being that the JavaScript
engine the the V8 sandbox is a Sandbox
now if you don't know what V8 is V8 is
the open-source high performance JV
JavaScript and web assembly engine that
is written C++ so what what are we
actually getting at here what this thing
actually does is if you've ever like
used JavaScript right in the browser
there has to be somewhere that
interprets the code and runs the
JavaScript on the CPU that is called
your JavaScript engine right so for
example if I put ver x equals 0 whatever
all of this is being interpreted via an
engine that is written in C++ which is
known as V8 right and that's how the
Chrome backend works I'm pretty sure
that Firefox uses V8 again I don't know
the ins and outs of all the browsers but
I know that no. JS and chrome do use V8
now again this is written in C++ which
means that it can have any number of
memory corruption vulnerabilities that
you will find in any other application
this is where the world of browser
exploitation comes in where you are able
to Via JavaScript write exploits that
take advantage of known vulnerabilities
or potentially zero days in v8's
interpretation of C++ and use that to
escape the V8 sandbox and get code
execution on the remote host computer so
wrapping this all up polyfill.io like I
said before is ran on hundreds of
thousands of websites so what does this
mean this means that if you visit a
website that is using polyfill and is
depending on the polyfill.io CDN or at
least PRI prior to the CDN being taken
down that you were going to the website
the Google the Googy analytics
JavaScript page and then from there was
potentially serving you JavaScript that
was being used to exploit your browser
now again we are in pretty much in
speculation mode right now but what this
looks like to me is a JavaScript exploit
that has been OB fiscated so that you
can't reverse engineer it that is doing
some kind of memory corruption to gain
execution in the browser right kind of a
crazy thing and from a malicious actor
perspective while this is so
advantageous is that they don't have to
do any work like provided that this
exploit is written well and has enough
functionality in it what they can
literally do is push a malicious update
to their CDN and then every user that
goes to these websites and loads their
version of JavaScript is served this
exploit and is used and that JavaScript
can be used to potentially escape the
v8m get code execution on your computer
and then from there they have a mass
exploitation campaign so truly insane
now what are people saying on Twitter
what are people saying what is what is
the the the company that bought polyfill
saying on Twitter well well well well
the company that acquired this again the
polyfill.io domain was not actually ran
by the person who maintained polyfill
right here's one of the reasons that I
believe it is truly a malicious campaign
and not like a Oopsy Daisy like someone
got hacked you know what I mean like
it's it's very intentional and the
reason being the number of times that
polyfill IO tried to cover their tracks
so let's go through this so article here
bleeping computer cloudflare we never
authorized polyfill.io to use our name
now so cloudflare if you don't know is a
huge cloud provider that does a bunch of
stuff for a majority of the internet you
can host Services there you can have
your domain names hosted there you can
do web application filters there you can
do load balancers there a whole bunch of
stuff one of the things that cloud flare
is known for is it is a large content
delivery Network which means that
instead of going to polyfill.io to Serve
Yourself poly. JS there's also a copy
hosted on cloudflare so if you went to
the polyfill IO a couple days ago before
this whole thing went down you would see
that there's a little lock sign which
means that it's secure obviously and
cloudflare security protection is
enabled and then you go and you look at
this and you're seeing that polyfill.io
is actually the URL and it's not the
cloudflare CDN so either polyfill.io is
a cname you know a name lookup on a DNS
record for a cloudflare domain or poell
is trying to say that our code is backed
by the cloudflare CDN they're a third
party so you can trust us cuz we're cool
right and so what cloud flare
effectively says in this article is that
cloudflare never recommended to
polyfill.io that they were allowed to
use our name on their website we asked
them to remove the false statement and
they have so far ignored our requests
and because Nam sheep is now not serving
the polyfill.io domain name you can't
really confirm or deny this but it's
it's in the pictures and so even further
poil has doubled down on Twitter and
said I have had enough of cloud Flair's
repeated baseless and malicious
definition I don't know man first of all
not really baseless this is like you
actively gaslighting the entire internet
moving forward I be fully dedicated to
developing a global CDM product that
surpasses Cloud flare showcasing the
true power of capital I don't know what
the that means again that bought by
a Chinese company serving malicious
JavaScript this reads to me like
somebody who wrote a very flowery
paragraph in Mandarin and put it into
Google translate but I digest I have
already secured 50 million startup
funding the product okay so effectively
what he says and note that he put this
giant image in the Twitter polyfill.io
is going to attempt to be their own CDN
because they're mad at Cloud flare for
telling them to stop hosting malicious
JavaScript uh pretty crazy situation and
if you can go to their account you can
tell it's fairly new because they have
like 40 followers again like if you want
to follow them I guess fine but no this
is likely a malicious CDN account uh and
literally all their posts are about them
getting slander on the internet for I
will repeat myself posting malware on
the internet yeah so kind of a wild
place to be in now if any of this
interests you if you want to go learn
about the world of browser exploitation
like how to find or write exploits that
attack a browser just know how they
actually work reban 01 who is someone
that I follow on Twitter I recommend
that you go follow them as well uh
posted a really really cool write up
from a CTF capture the flag called
exploiting V8 at open ecsc basically
there was a capture the flag challenge
that they were supposed to exploit a
chrome CBE one of them was in an
implementation of array. exor in
JavaScript and here's the code diff and
again like I said before the V8 engine
is just C++ that you run that interprets
JavaScript right so this whole write up
is their adventure of finding out how to
AR ray. xor produce a memory corruption
vulnerability and then using that to pop
bsh and get a shell on the computer that
is running Chrome so really great right
up but yeah supply chain security is
completely crazy it is a world that I'm
really nervous that people are not
thinking enough about between the solar
winds attack I think in 2020 where a
security product got attacked I think by
the Russians and then you have the XZ
back door where this this widely used uh
compression Library gets attacked and
now JavaScript cdns are being purchased
up by other countries and having codee
injected into them it begs a really
interesting question about the future of
not only open source but just code that
people use that they didn't write
themselves right so anyway if you
thought this video was interesting do me
a favor hit that like button hit
subscribe and then go check out this
other video this other video about uh
the XC back door which was really cool
it's kind of the same thing only it has
to do with a much smaller but much more
widely used library that almost had the
same fate as this we'll see you there
تصفح المزيد من مقاطع الفيديو ذات الصلة
Jak pół sekundy uratowało świat przed zagładą?
1.2.2 "A Flaw in the System's Design..."
Differences between server side scripting and client side scripting
苹果 macOS、iOS 爆高危漏洞,只需一个短信,电脑和手机都会被黑!请立即自查!! 2024 | 零度解说
Hacker explains: Why are electronics exploding in Lebanon?
STUXNET: The Virus that Almost Started WW3
5.0 / 5 (0 votes)