From the article: ... Yikes. Just because it's open source code on GitHub doesn't mean it's safe!
From the article:
The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io domain. Notable users are JSTOR, Intuit and World Economic Forum. However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io. Any complaints were quickly removed (archive here) from the Github repository.
...
The original polyfill author recommends to not use Polyfill at all, as it is no longer needed by modern browsers anyway. Meanwhile, both Fastly and Cloudflare have put up trustworthy alternatives, if you still need it.
Yikes. Just because it's open source code on GitHub doesn't mean it's safe!
How can a shady Chinese company just happen to buy such a high profile github account? Aren't open source foundations, etc. supposed to ensure that such things don't happen? And the foundations...
How can a shady Chinese company just happen to buy such a high profile github account? Aren't open source foundations, etc. supposed to ensure that such things don't happen? And the foundations are chaired by top technology companies who themselves depend on these FOSS projects.
I mean the foundations govern specific open source projects that they are given control over not every single open source repo on GitHub. Any successful open source project will get endless shady...
I mean the foundations govern specific open source projects that they are given control over not every single open source repo on GitHub.
This is why I'm extremely selective about which browser extensions I use (basically none, just Bitwarden on FF). I mean, that's a lot of money he's leaving on the table.
This is why I'm extremely selective about which browser extensions I use (basically none, just Bitwarden on FF). I mean, that's a lot of money he's leaving on the table.
Yup. It’s gotten to the point where I created a little write-up for my relatives and some older people I know; some of whom really might fall for the worst of the worst ads/popups out there...
Yup. It’s gotten to the point where I created a little write-up for my relatives and some older people I know; some of whom really might fall for the worst of the worst ads/popups out there otherwise.
Although they sort of have the opposite problem, really: too few extensions and a frankly horribly unsafe browsing experience as a result of that.
This is bad news. If this keeps happening, folks will stop trusting the cloud and internet itself. In the long run, this means folks will waste a lot of their time and energy being busy in this...
This is bad news. If this keeps happening, folks will stop trusting the cloud and internet itself. In the long run, this means folks will waste a lot of their time and energy being busy in this security/privacy nightmare stuff instead of innovating and collaborating with one another.
Bad news for sure, but it's been happening for years, so far there hasn't been as much fallout as you'd imagine. I keep assuming people will make monitoring systems for common open source...
Bad news for sure, but it's been happening for years, so far there hasn't been as much fallout as you'd imagine.
I keep assuming people will make monitoring systems for common open source libraries and browser extensions (the most popular attack vectors) so they can make it public when a buyout/takeover like this happens. Probably someone already has.
For browser extensions there’s Under New Management which should address the problem. Thankfully (I think) I haven’t fallen prey to one of these attacks myself so I can’t vouch for the...
For browser extensions there’s Under New Management which should address the problem. Thankfully (I think) I haven’t fallen prey to one of these attacks myself so I can’t vouch for the notification system doing what it says it’ll do, but I have no reason to doubt it.
Solving the problem of unexpectedly hostile client-side JS libraries, especially those fetched directly from a vendor-supplied CDN, is a much trickier feat. Maybe an extension like Decentraleyes would be well-positioned to tackle it, but I’m not aware of such a thing happening. Supply-chain attack notifications are out of scope for what that one is supposed to do. But I think it would be a welcome feature. NPM might be able to help flag malicious libraries that are bundled into site packages, actually I think it already is doing that, to some degree.
Related: I recently learned on Tildes about the sale of Mac utility Bartender to an unknown developer that immediately added telemetry junk to the app after acquiring it. I’ve used Bartender for years and didn’t notice the switch. Apparently that was identified (or at least amplified) by an app called MacUpdater which replaces built-in app-specific updaters and manages everything centrally. I’d never seen the value of such a tool before, but blocking local supply-chain attacks is brilliant. I’m considering migrating over to that now that I see the practicality of it.
Many open source projects have just a single maintainer who is doing so as an individual. And I am not even slightly surprised when a working software developer decides to sell out the Internet...
Many open source projects have just a single maintainer who is doing so as an individual. And I am not even slightly surprised when a working software developer decides to sell out the Internet for a few million dollars. I'm not even sure it's unethical.
I'm not sure "ethical" even applies to something like this. If someone needs cash and sells something like this to get it, there's probably a pretty pressing reason.
I'm not sure "ethical" even applies to something like this. If someone needs cash and sells something like this to get it, there's probably a pretty pressing reason.
It is only as unethical as someone building up a small business and selling it when they reach a position that they find the offers to be worthwhile. I think most people would lean toward that...
It is only as unethical as someone building up a small business and selling it when they reach a position that they find the offers to be worthwhile. I think most people would lean toward that being pretty ethical, many would even call that the platonic ideal of someone living in a capitalist society.
Selling a business is also risky; sometimes small business owners have gotten in trouble by selling their company to criminals for cash, without doing all the paperwork first. And then, the...
Selling a business is also risky; sometimes small business owners have gotten in trouble by selling their company to criminals for cash, without doing all the paperwork first. And then, the business does bad things and they're legally still the owner.
You might compare with selling a car; if you don't tell the DMV, you're still on the hook for tickets.
Who is the governing body in this scenario to which we tell about the transfer of keys? Github isn't the only platform on which projects live. Even if it were, they are just a platform and not a...
Who is the governing body in this scenario to which we tell about the transfer of keys?
Github isn't the only platform on which projects live. Even if it were, they are just a platform and not a government. There is an upper limit to how much they can do about it, pretty much stopping at removal.
Yeah, there are a lot of important differences between selling a business, selling a car, and transferring control of an open source project. I just wanted to point out that other transfers of...
Yeah, there are a lot of important differences between selling a business, selling a car, and transferring control of an open source project. I just wanted to point out that other transfers of control can be taken advantage of too.
My guess is that some (many?) open source maintainers wouldn't knowingly sell to criminals. They are likely more wary than they used to be after recent high-profile supply chain attacks. But it...
My guess is that some (many?) open source maintainers wouldn't knowingly sell to criminals. They are likely more wary than they used to be after recent high-profile supply chain attacks. But it all depends on who they are and what their situation is.
People can be duped. But if they know who they are selling to and don't care about their users at all, that sure seems unethical to me, almost as bad as doing it yourself.
Polyfills in general are great (well, much less needed nowadays), but doing them by having a webpage load a script directly from a remote domain has always been a terrible idea because of the...
Polyfills in general are great (well, much less needed nowadays), but doing them by having a webpage load a script directly from a remote domain has always been a terrible idea because of the potential for this predictable outcome.
I agree, but I think it's a more general problem than that. A JavaScript library that you install could download an arbitrary dependency, unless you lock it down using CORS. (And one of these days...
I agree, but I think it's a more general problem than that. A JavaScript library that you install could download an arbitrary dependency, unless you lock it down using CORS.
(And one of these days I will learn how to do that.)
True, but at least any malicious code in a library you download and then host on your own domain can be studied for bad behavior, and it will only update when you the developer update it. Loading...
True, but at least any malicious code in a library you download and then host on your own domain can be studied for bad behavior, and it will only update when you the developer update it. Loading a script directly from a remote domain in a webpage means that the remote domain can update the code whenever they want, and they can selectively serve malicious copies of the script to a subset of your users, preventing you from being able to discover the malicious code unless one of the users reports it to you and you trust their report.
(Btw CSP is the thing you want to use for self-imposing restrictions on a webpage, not CORS. CORS restricts what other domains can make requests to your own domain's server, but it won't prevent a malicious script on your own domain from accessing an attacker-controlled domain.)
We have, over the last 24 hours, released an automatic JavaScript URL rewriting service that will rewrite any link to polyfill.io found in a website proxied by Cloudflare to a link to our mirror under cdnjs. This will avoid breaking site functionality while mitigating the risk of a supply chain attack.
Any website on the free plan has this feature automatically activated now. Websites on any paid plan can turn on this feature with a single click.
Background:
Back in February, the domain polyfill.io, which hosts a popular JavaScript library, was sold to a new owner: Funnull, a relatively unknown company. At the time, we were concerned that this created a supply chain risk. This led us to spin up our own mirror of the polyfill.io code hosted under cdnjs, a JavaScript library repository sponsored by Cloudflare.
The new owner was unknown in the industry and did not have a track record of trust to administer a project such as polyfill.io. The concern, highlighted even by the original author, was that if they were to abuse polyfill.io by injecting additional code to the library, it could cause far reaching security problems on the Internet affecting several hundreds of thousands websites. Or it could be used to perform a targeted supply-chain attack against specific websites.
Unfortunately, that worry came true on June 25, 2024 as the polyfill.io service was being used to inject nefarious code that, under certain circumstances, redirected users to other websites.
We have taken the exceptional step of using our ability to modify HTML on the fly to replace references to the polyfill.io CDN in our customers’ websites with links to our own, safe, mirror created back in February.
In the meantime, additional threat feed providers have also taken the decision to flag the domain as malicious. We have not outright blocked the domain through any of the mechanisms we have because we are concerned it could cause widespread web outages given how broadly polyfill.io is used with some estimates indicating usage on nearly 4% of all websites.
Probably all unless they're being weirdly nice, because it's Polyfill.io's code loaded from their domain that runs in the first place to check if your device is old and needs extra polyfills.
Probably all unless they're being weirdly nice, because it's Polyfill.io's code loaded from their domain that runs in the first place to check if your device is old and needs extra polyfills.
From the article:
...
Yikes. Just because it's open source code on GitHub doesn't mean it's safe!
How can a shady Chinese company just happen to buy such a high profile github account? Aren't open source foundations, etc. supposed to ensure that such things don't happen? And the foundations are chaired by top technology companies who themselves depend on these FOSS projects.
I mean the foundations govern specific open source projects that they are given control over not every single open source repo on GitHub.
Any successful open source project will get endless shady offers to buy you out (see https://github.com/extesy/hoverzoom/discussions/670 )
This is why I'm extremely selective about which browser extensions I use (basically none, just Bitwarden on FF). I mean, that's a lot of money he's leaving on the table.
Yup. It’s gotten to the point where I created a little write-up for my relatives and some older people I know; some of whom really might fall for the worst of the worst ads/popups out there otherwise.
Although they sort of have the opposite problem, really: too few extensions and a frankly horribly unsafe browsing experience as a result of that.
This is bad news. If this keeps happening, folks will stop trusting the cloud and internet itself. In the long run, this means folks will waste a lot of their time and energy being busy in this security/privacy nightmare stuff instead of innovating and collaborating with one another.
Bad news for sure, but it's been happening for years, so far there hasn't been as much fallout as you'd imagine.
I keep assuming people will make monitoring systems for common open source libraries and browser extensions (the most popular attack vectors) so they can make it public when a buyout/takeover like this happens. Probably someone already has.
For browser extensions there’s Under New Management which should address the problem. Thankfully (I think) I haven’t fallen prey to one of these attacks myself so I can’t vouch for the notification system doing what it says it’ll do, but I have no reason to doubt it.
Solving the problem of unexpectedly hostile client-side JS libraries, especially those fetched directly from a vendor-supplied CDN, is a much trickier feat. Maybe an extension like Decentraleyes would be well-positioned to tackle it, but I’m not aware of such a thing happening. Supply-chain attack notifications are out of scope for what that one is supposed to do. But I think it would be a welcome feature. NPM might be able to help flag malicious libraries that are bundled into site packages, actually I think it already is doing that, to some degree.
Related: I recently learned on Tildes about the sale of Mac utility Bartender to an unknown developer that immediately added telemetry junk to the app after acquiring it. I’ve used Bartender for years and didn’t notice the switch. Apparently that was identified (or at least amplified) by an app called MacUpdater which replaces built-in app-specific updaters and manages everything centrally. I’d never seen the value of such a tool before, but blocking local supply-chain attacks is brilliant. I’m considering migrating over to that now that I see the practicality of it.
Well, that was eye-opening about an attack surface I hadn't thought of.
Many open source projects have just a single maintainer who is doing so as an individual. And I am not even slightly surprised when a working software developer decides to sell out the Internet for a few million dollars. I'm not even sure it's unethical.
I'm not sure "ethical" even applies to something like this. If someone needs cash and sells something like this to get it, there's probably a pretty pressing reason.
It is only as unethical as someone building up a small business and selling it when they reach a position that they find the offers to be worthwhile. I think most people would lean toward that being pretty ethical, many would even call that the platonic ideal of someone living in a capitalist society.
Selling a business is also risky; sometimes small business owners have gotten in trouble by selling their company to criminals for cash, without doing all the paperwork first. And then, the business does bad things and they're legally still the owner.
You might compare with selling a car; if you don't tell the DMV, you're still on the hook for tickets.
Who is the governing body in this scenario to which we tell about the transfer of keys?
Github isn't the only platform on which projects live. Even if it were, they are just a platform and not a government. There is an upper limit to how much they can do about it, pretty much stopping at removal.
Yeah, there are a lot of important differences between selling a business, selling a car, and transferring control of an open source project. I just wanted to point out that other transfers of control can be taken advantage of too.
My guess is that some (many?) open source maintainers wouldn't knowingly sell to criminals. They are likely more wary than they used to be after recent high-profile supply chain attacks. But it all depends on who they are and what their situation is.
People can be duped. But if they know who they are selling to and don't care about their users at all, that sure seems unethical to me, almost as bad as doing it yourself.
Polyfills in general are great (well, much less needed nowadays), but doing them by having a webpage load a script directly from a remote domain has always been a terrible idea because of the potential for this predictable outcome.
I agree, but I think it's a more general problem than that. A JavaScript library that you install could download an arbitrary dependency, unless you lock it down using CORS.
(And one of these days I will learn how to do that.)
True, but at least any malicious code in a library you download and then host on your own domain can be studied for bad behavior, and it will only update when you the developer update it. Loading a script directly from a remote domain in a webpage means that the remote domain can update the code whenever they want, and they can selectively serve malicious copies of the script to a subset of your users, preventing you from being able to discover the malicious code unless one of the users reports it to you and you trust their report.
(Btw CSP is the thing you want to use for self-imposing restrictions on a webpage, not CORS. CORS restricts what other domains can make requests to your own domain's server, but it won't prevent a malicious script on your own domain from accessing an attacker-controlled domain.)
Automatically replacing polyfill.io links with Cloudflare’s mirror for a safer Internet (Cloudflare)
Background:
Content Security Policies set to an industry standard or better are a necessity for webmasters.
Did this affect all devices or only devices that have old browsers needing polyfill?
Probably all unless they're being weirdly nice, because it's Polyfill.io's code loaded from their domain that runs in the first place to check if your device is old and needs extra polyfills.