malicious javascript injected into 100,000 websites

00:00

supply chain security is an interesting

00:02

topic of security research the reason

00:04

being a lot of people don't pay a lot of

00:05

attention to it you kind of just trust

00:07

where your software comes from and run

00:09

it without a ton of issue but the

00:11

problem with this is that supply chain

00:12

vulnerabilities are so widespread that

00:15

when an attack happens they typically

00:17

affect the entire internet like hundreds

00:19

of thousands of places because of how

00:21

widespread the software that we all use

00:24

is in this video we're talking about a

00:25

supply chain attack that affected over

00:28

100,000 weap sites and is still actively

00:31

being worked out right now the attack is

00:33

called polyfill or now referred to as

00:35

poly kill and in this video we'll go

00:37

into kind of the nature of what polyfill

00:39

was the way that supply chain attacks

00:41

typically work out how this supply chain

00:43

attack in particular worked out and how

00:45

browser exploits happen now I've been in

00:47

the offensive security the security

00:49

research Community for over 10 years and

00:51

this is hands down one of the craziest

00:54

exploits that I've seen now if you're

00:55

new here hi my name is Ed this is Ol

00:57

learning a channel where I make videos

00:59

about software security cyber security

01:01

and a bunch of other stuff so if you

01:02

like that or just want to hang out hit

01:03

that sub button I really appreciate it

01:05

now all of the supply chain issue boils

01:07

down to this Library called polyfill and

01:10

it was hosted at one point on this

01:11

website called polyfill.io now if you

01:14

don't know what poly filling is I didn't

01:15

until recently I'm not a web guy poly

01:17

filling is a way that back in the day we

01:20

were able to use modern JavaScript on

01:23

Old browsers right so there were

01:25

browsers like ie7 and older versions of

01:28

Firefox that really didn't have like a

01:30

lot of support for modern JavaScript

01:32

features and there is this Library

01:34

called polyfill that you're able to use

01:36

to effectively inject the features into

01:38

the browser so that the browsers were

01:40

all at the same level now as my buddy

01:42

Theo indicated I didn't realize this

01:44

when Chrome came about Chrome kind of

01:45

set the bar for the Baseline JavaScript

01:48

requirements uh for browser so polyfill

01:50

is really no longer required but a lot

01:52

of websites still depend on it and like

01:54

any website typically when you write

01:56

JavaScript you don't write the

01:58

JavaScript yourself you don't write all

02:00

the code you depend on these things

02:01

called cdns or content delivery networks

02:03

and what they do is they host the code

02:05

for you so you can just go pull them

02:06

down when you go to the website and even

02:08

right now when I go to mdn web docs if I

02:11

go to my network Tab and hit refresh

02:12

you'll probably see that I'm downloading

02:14

a ton of other JavaScript files that are

02:17

used to run this website right so it's

02:19

not entirely uncommon that this happens

02:21

now the issue is that recently and but

02:24

recently it was actually about a month

02:25

ago there is an issue where somebody

02:27

posted a potential vulnerability in the

02:30

poil library and it was immediately

02:33

deleted off of GitHub very suspicious so

02:35

people are trying to figure out okay why

02:37

was this deleted it turns out that the

02:41

polyfill.io domain that was not

02:43

originally owned or maintained by the

02:46

Pol library maintainer was acquired by a

02:49

Chinese company now what they did is

02:52

extremely interesting so again just like

02:55

any other JavaScript website what you'll

02:56

do is if you want to depend on the poly

02:59

full Library you will just literally put

03:01

a remote script Source link into your

03:03

code to pull out this JavaScript right

03:05

so the compromise URL is this Library

03:07

here and actually I think name sheep the

03:08

owner of the polyfill.io domain does not

03:11

serve this IP address right now so

03:13

you'll see the CDN doesn't work but so

03:15

what happens is that you go and pull

03:16

down this library and that code gets put

03:18

into your browser and gives you the

03:20

features of polyfill which again is just

03:21

meant to make sure that you and all the

03:23

other browsers are on the same Baseline

03:25

of functionality so that all in

03:26

JavaScript works well what's pretty

03:28

insane is again company bought this no

03:31

inherent issue with that but when you go

03:34

and check out or checked out before they

03:36

pulled this all down the version of

03:38

polyfill that this website was serving

03:40

versus other CDN like cloudflare for

03:42

example a bunch of OB fiscated code was

03:46

put into the library there were all of

03:48

these obfuscated functions with random

03:51

prototypes and and variables that

03:53

effectively would go out and reach out

03:55

to not Google analytics Googy analytics

03:58

and they would pull down G a .js which

04:01

if this were actually Google analytics

04:03

it would look like the JavaScript page

04:04

that a lot of sites depend on to do

04:06

tracking of users when they're going to

04:08

websites you want to see how long the

04:09

browse time was what their clickthrough

04:10

rate was on certain elements all that

04:12

stuff all this can be done through

04:13

Google analytics so if you look at this

04:15

quick enough you're like what those

04:16

aren't L's those are I's so Googy

04:18

analytics gets injected into the

04:20

polyfill.io polyfill CDN So eventually

04:24

what happens is they have all this obis

04:26

skated code someone did the work of kind

04:27

of reverse engineering what this

04:28

actually does when poly. min.js gets put

04:31

into your browser on certain devices

04:33

polyfill.io will load up Googy analytics

04:36

ga.js they've pulled down this piece of

04:39

JavaScript but what it actually ended up

04:41

being was this paste bin here which is a

04:43

very another heavily OB fiscated piece

04:46

of JavaScript code very interesting so

04:49

the question is what does this piece of

04:51

JavaScript code do what is happening

04:53

here this is where I think a lot of

04:55

speculation is still around there hasn't

04:57

been a ton of reverse engineering work

04:58

I'm actively working on taking this

05:00

apart right now to figure out what it

05:01

actually is but I have a couple

05:03

inclinations just on my experience in

05:05

the security world and reading articles

05:07

about browser exploitation right so the

05:10

question kind of becomes why is it bad

05:13

if an arbitrary user runs JavaScript in

05:17

your browser right like who cares

05:18

there's nothing inherently wrong with

05:20

that the idea being that the JavaScript

05:22

engine the the V8 sandbox is a Sandbox

05:25

now if you don't know what V8 is V8 is

05:27

the open-source high performance JV

05:29

JavaScript and web assembly engine that

05:31

is written C++ so what what are we

05:33

actually getting at here what this thing

05:34

actually does is if you've ever like

05:36

used JavaScript right in the browser

05:38

there has to be somewhere that

05:40

interprets the code and runs the

05:42

JavaScript on the CPU that is called

05:44

your JavaScript engine right so for

05:46

example if I put ver x equals 0 whatever

05:49

all of this is being interpreted via an

05:52

engine that is written in C++ which is

05:54

known as V8 right and that's how the

05:56

Chrome backend works I'm pretty sure

05:58

that Firefox uses V8 again I don't know

06:00

the ins and outs of all the browsers but

06:01

I know that no. JS and chrome do use V8

06:04

now again this is written in C++ which

06:06

means that it can have any number of

06:09

memory corruption vulnerabilities that

06:11

you will find in any other application

06:14

this is where the world of browser

06:16

exploitation comes in where you are able

06:18

to Via JavaScript write exploits that

06:22

take advantage of known vulnerabilities

06:24

or potentially zero days in v8's

06:26

interpretation of C++ and use that to

06:29

escape the V8 sandbox and get code

06:32

execution on the remote host computer so

06:34

wrapping this all up polyfill.io like I

06:36

said before is ran on hundreds of

06:39

thousands of websites so what does this

06:41

mean this means that if you visit a

06:43

website that is using polyfill and is

06:45

depending on the polyfill.io CDN or at

06:48

least PRI prior to the CDN being taken

06:50

down that you were going to the website

06:53

the Google the Googy analytics

06:54

JavaScript page and then from there was

06:56

potentially serving you JavaScript that

06:59

was being used to exploit your browser

07:01

now again we are in pretty much in

07:02

speculation mode right now but what this

07:04

looks like to me is a JavaScript exploit

07:07

that has been OB fiscated so that you

07:08

can't reverse engineer it that is doing

07:10

some kind of memory corruption to gain

07:12

execution in the browser right kind of a

07:14

crazy thing and from a malicious actor

07:16

perspective while this is so

07:17

advantageous is that they don't have to

07:18

do any work like provided that this

07:20

exploit is written well and has enough

07:22

functionality in it what they can

07:23

literally do is push a malicious update

07:25

to their CDN and then every user that

07:28

goes to these websites and loads their

07:30

version of JavaScript is served this

07:33

exploit and is used and that JavaScript

07:35

can be used to potentially escape the

07:37

v8m get code execution on your computer

07:39

and then from there they have a mass

07:41

exploitation campaign so truly insane

07:43

now what are people saying on Twitter

07:45

what are people saying what is what is

07:46

the the the company that bought polyfill

07:49

saying on Twitter well well well well

07:52

the company that acquired this again the

07:55

polyfill.io domain was not actually ran

07:58

by the person who maintained polyfill

08:00

right here's one of the reasons that I

08:01

believe it is truly a malicious campaign

08:04

and not like a Oopsy Daisy like someone

08:07

got hacked you know what I mean like

08:08

it's it's very intentional and the

08:09

reason being the number of times that

08:11

polyfill IO tried to cover their tracks

08:14

so let's go through this so article here

08:16

bleeping computer cloudflare we never

08:18

authorized polyfill.io to use our name

08:20

now so cloudflare if you don't know is a

08:23

huge cloud provider that does a bunch of

08:25

stuff for a majority of the internet you

08:27

can host Services there you can have

08:28

your domain names hosted there you can

08:30

do web application filters there you can

08:32

do load balancers there a whole bunch of

08:33

stuff one of the things that cloud flare

08:35

is known for is it is a large content

08:37

delivery Network which means that

08:39

instead of going to polyfill.io to Serve

08:42

Yourself poly. JS there's also a copy

08:44

hosted on cloudflare so if you went to

08:47

the polyfill IO a couple days ago before

08:49

this whole thing went down you would see

08:51

that there's a little lock sign which

08:53

means that it's secure obviously and

08:55

cloudflare security protection is

08:57

enabled and then you go and you look at

08:59

this and you're seeing that polyfill.io

09:00

is actually the URL and it's not the

09:03

cloudflare CDN so either polyfill.io is

09:07

a cname you know a name lookup on a DNS

09:09

record for a cloudflare domain or poell

09:13

is trying to say that our code is backed

09:16

by the cloudflare CDN they're a third

09:18

party so you can trust us cuz we're cool

09:20

right and so what cloud flare

09:21

effectively says in this article is that

09:23

cloudflare never recommended to

09:26

polyfill.io that they were allowed to

09:27

use our name on their website we asked

09:30

them to remove the false statement and

09:31

they have so far ignored our requests

09:33

and because Nam sheep is now not serving

09:35

the polyfill.io domain name you can't

09:38

really confirm or deny this but it's

09:40

it's in the pictures and so even further

09:42

poil has doubled down on Twitter and

09:45

said I have had enough of cloud Flair's

09:48

repeated baseless and malicious

09:50

definition I don't know man first of all

09:52

not really baseless this is like you

09:53

actively gaslighting the entire internet

09:55

moving forward I be fully dedicated to

09:57

developing a global CDM product that

10:00

surpasses Cloud flare showcasing the

10:02

true power of capital I don't know what

10:04

the that means again that bought by

10:06

a Chinese company serving malicious

10:07

JavaScript this reads to me like

10:10

somebody who wrote a very flowery

10:11

paragraph in Mandarin and put it into

10:14

Google translate but I digest I have

10:16

already secured 50 million startup

10:18

funding the product okay so effectively

10:19

what he says and note that he put this

10:21

giant image in the Twitter polyfill.io

10:22

is going to attempt to be their own CDN

10:25

because they're mad at Cloud flare for

10:26

telling them to stop hosting malicious

10:28

JavaScript uh pretty crazy situation and

10:31

if you can go to their account you can

10:32

tell it's fairly new because they have

10:33

like 40 followers again like if you want

10:35

to follow them I guess fine but no this

10:37

is likely a malicious CDN account uh and

10:40

literally all their posts are about them

10:42

getting slander on the internet for I

10:44

will repeat myself posting malware on

10:46

the internet yeah so kind of a wild

10:48

place to be in now if any of this

10:50

interests you if you want to go learn

10:52

about the world of browser exploitation

10:54

like how to find or write exploits that

10:56

attack a browser just know how they

10:57

actually work reban 01 who is someone

11:00

that I follow on Twitter I recommend

11:01

that you go follow them as well uh

11:03

posted a really really cool write up

11:04

from a CTF capture the flag called

11:06

exploiting V8 at open ecsc basically

11:09

there was a capture the flag challenge

11:11

that they were supposed to exploit a

11:13

chrome CBE one of them was in an

11:15

implementation of array. exor in

11:17

JavaScript and here's the code diff and

11:19

again like I said before the V8 engine

11:21

is just C++ that you run that interprets

11:24

JavaScript right so this whole write up

11:26

is their adventure of finding out how to

11:29

AR ray. xor produce a memory corruption

11:31

vulnerability and then using that to pop

11:33

bsh and get a shell on the computer that

11:35

is running Chrome so really great right

11:37

up but yeah supply chain security is

11:39

completely crazy it is a world that I'm

11:42

really nervous that people are not

11:43

thinking enough about between the solar

11:45

winds attack I think in 2020 where a

11:47

security product got attacked I think by

11:49

the Russians and then you have the XZ

11:51

back door where this this widely used uh

11:54

compression Library gets attacked and

11:56

now JavaScript cdns are being purchased

11:58

up by other countries and having codee

12:01

injected into them it begs a really

12:03

interesting question about the future of

12:05

not only open source but just code that

12:08

people use that they didn't write

12:10

themselves right so anyway if you

12:11

thought this video was interesting do me

12:12

a favor hit that like button hit

12:13

subscribe and then go check out this

12:14

other video this other video about uh

12:17

the XC back door which was really cool

12:19

it's kind of the same thing only it has

12:21

to do with a much smaller but much more

12:24

widely used library that almost had the

12:26

same fate as this we'll see you there