π (409) One Script Tag Just Pwn'D Over 100,000 Websites - Youtube
Waylon Walker
Learning in Public @_WaylonWalker
Tags
Note
This post is a thought. It's a short note that I make about someone else's
content online. Learn more about the process
thoughts
Here's my thought on π (409) One Script Tag Just Pwn'd Over 100,000 Websites - YouTube
Supply chain attacks are so big these days engineers definitely need to take these into consideration. It's wild that such a simple attack vector hit some really big applications. This particular vector is so easy to avoid. You are already hosting web content, just curl the file and self host the script, then you own it. That eliminates this attack vector all together, but doesn't completely remove supply chain attacks, the js file can still hit external apis internally.
What I see has happened in this case is that the owner of the domain polyfill.io changed. so anyone who directly linked to them got a malware injected script used.
I can only imagine the number of applicatons that are not even being maintained anymore getting hit by this. TLDR, if you are taking something to production, where you are goind to deploy it and let it run, host the js yourself. these cdns are great for prototyping, but tread with caution.
This post was a thought by Waylon Walker see all my thoughts at https://waylonwalker.com/thoughts