{"id":31362,"date":"2024-07-07T14:06:25","date_gmt":"2024-07-07T21:06:25","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=31362"},"modified":"2024-07-08T01:15:03","modified_gmt":"2024-07-08T08:15:03","slug":"sb-2024-07-07","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2024\/07\/sb-2024-07-07\/","title":{"rendered":"Security Bits \u2013 2024-07-07"},"content":{"rendered":"<h1>Feedback &amp; Followups<\/h1>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>The Snowflake supply-chain breach fallout continues with another big name: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/neiman-marcus-confirms-data-breach-after-snowflake-account-hack\/\">Neiman Marcus confirms data breach after Snowflake account hack \u2014 www.bleepingcomputer.com\/\u2026<\/a> (biggest danger seems to be targeted phishing)<\/li>\n<li>\ud83c\udde7\ud83c\uddf7 Meta&#8217;s plan to hoover up users data for training its AI hits another stumbling block (already blocked in EU): <a href=\"https:\/\/thehackernews.com\/2024\/07\/brazil-halts-metas-ai-data-processing.html\">Brazil Halts Meta&#8217;s AI Data Processing Amid Privacy Concerns \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<\/ul>\n<h1>Deep Dive 1 \u2014 Learning from the PolyFill CDN Fiasco<\/h1>\n<p><em><strong>tl;dr<\/strong> \u2014 if you create websites or web apps, be careful where you load your JavaScript libraries from, you are implicitly entrusting the integrity of your site to those CDNs!<\/em><\/p>\n<h2>Summary of What Happened &amp; The Immediate Fix<\/h2>\n<p>The best summary I have seen is the introduction to <a href=\"https:\/\/blog.qualys.com\/vulnerabilities-threat-research\/2024\/06\/28\/polyfill-io-supply-chain-attack\">Qualsys&#8217; detailed report<\/a>:<\/p>\n<blockquote><p>\n  The polyfill.js is a popular open-source library that supports older browsers. Thousands of sites embed it using the\u00a0cdn[.]polyfill[.]io\u00a0domain. In February 2024, a Chinese company (Funnull) bought the domain and the GitHub account. The company has modified Polyfill.js so malicious code would be inserted into websites that embedded scripts from cdn.polyfill[.]io. Any script adopted from\u00a0cdn.polyfill[.]io\u00a0would immediately download malicious code from the Chinese company\u2019s site. Some of the known outcomes are:<\/p>\n<ul>\n<li>user would be redirected to scam sites,<\/li>\n<li>allows an attacker to steal sensitive data,<\/li>\n<li>potentially perform code execution.\u00a0<\/li>\n<\/ul>\n<p>  Given that modern browsers do not require Polyfill, the original polyfill author recommends not to use Polyfill at all.\u00a0All websites should remove any references to polyfill.io. Recommended alternatives are CDN, such as\u00a0<a href=\"https:\/\/cdnjs.cloudflare.com\/polyfill\/\">Cloudflare<\/a>\u00a0and\u00a0<a href=\"https:\/\/community.fastly.com\/t\/new-options-for-polyfill-io-users\/2540\">Fastly<\/a>.\n<\/p><\/blockquote>\n<p>As well as switching to trustworthy CDNs, Cloudflare also provide the option to have their service automatically replace all your <code>polyfill.io<\/code> links with their CDN, [as described on their blog](<a href=\"https:\/\/blog.cloudflare.com\/automatically-replacing-polyfill-io-links-with-cloudflares-mirror-for-a-safer-internet\">Automatically replacing polyfill.io links with Cloudflare\u2019s mirror for a safer Internet \u2014 blog.cloudflare.com\/\u2026<\/a>).<\/p>\n<p>An interesting development is that security researchers now think this attack us just the latest in a series of smaller scale ones by the same group that dates back to 2023. This simply appears to have been their most high-profile attack so far.<\/p>\n<h2>The Backstory<\/h2>\n<p>For a long time there were a lot of obsolete browsers still in regular use, so developers had a choice:<\/p>\n<ol>\n<li>Only use features that are backwards compatible to a level appropriate for their site\/company\/app<\/li>\n<li>Work around the incompatibilities by simulating the missing features with features that are backwards compatible<\/li>\n<\/ol>\n<p>Developers hate not using new tools they know work well, so a technique evolved to work around the missing features that became known as Polyfill. This is how Wikipedia describes it:<\/p>\n<blockquote><p>\n  <em>&#8220;In\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Software_development\" title=\"Software development\">software development<\/a>, a\u00a0<strong>polyfill<\/strong>\u00a0is code that implements a feature of the\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Development_environment\" title=\"Development environment\">development environment<\/a>\u00a0that does not natively support the feature. Most often, it refers to\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/JavaScript\" title=\"JavaScript\">JavaScript<\/a>\u00a0code that implements an\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/HTML5\" title=\"HTML5\">HTML5<\/a>\u00a0or\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/CSS\" title=\"CSS\">CSS<\/a>\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Web_standard\" title=\"Web standard\">web standard<\/a>, either an established standard (supported by some browsers) on older browsers, or a proposed standard (not supported by any browsers) on existing browsers. Polyfills are also used in\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/PHP\" title=\"PHP\">PHP<\/a>\u00a0and\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Python_(programming_language)\" title=\"Python (programming language)\">Python<\/a>.<a href=\"https:\/\/en.wikipedia.org\/wiki\/Polyfill_(programming)#cite_note-1\">[1]<\/a>&#8220;<\/em> \u2014 <a href=\"https:\/\/en.wikipedia.org\/wiki\/Polyfill_(programming)\">en.wikipedia.org\/\u2026<\/a>\n<\/p><\/blockquote>\n<p>Lots of open source polyfills appeared for all sorts of things, one of which was PolyFill JS. This was a legitimate open source project, but it never ran its own content delivery network. The library could be included into your website\/web app using well trusted CDNs like <a href=\"https:\/\/www.jsdelivr.com\">JSDelivr<\/a>, but a third-party utterly un-affiliated CDN emerged named <code>polyfill.io<\/code>. This <strong>was<\/strong> a legitimate CDN for many years.<\/p>\n<p>Now, let&#8217;s get caught up to today \u2014 browsers are in a much better place now, so you just don&#8217;t need polyfills anymore. But, lots and lots of very old websites are still online, and many of them still load polyfills. Some are backed by legitimate CDNs, but many use <code>polyfill.io<\/code>. The problem is, there&#8217;s no legitimate need for <code>polyfill.io<\/code> anymore, so the domain got sold, and the new owners are not legitimate, they appear to be associated with the Chinese government, and malicious code was injected into the polyfill code they served.<\/p>\n<p>A final interesting development is that it now appears the same group behind other recent CDN attacks are behind this latest one.<\/p>\n<h2>The Lesson to be Learned<\/h2>\n<p>While this particular attack was nipped in the bud quickly and seems not to have done any major damage, it teaches us an important lesson.<\/p>\n<p><strong>Choose your CDN with Care!<\/strong><\/p>\n<p>In <a href=\"https:\/\/pbs.bartificer.net\">Programming By Stealth<\/a> we make heavy use of CDNs for importing libraries like jQuery and Bootstrap, but I have always been careful to only recommend trurstworthy CDNs. This story perfectly illustrates why, and, it makes me regret not being more explicit about that on those PBS segments all those years ago!<\/p>\n<h2>Links<\/h2>\n<ul>\n<li><a href=\"https:\/\/thehackernews.com\/2024\/06\/over-110000-websites-affected-by.html\">Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/polyfillio-bootcdn-bootcss-staticfile-attack-traced-to-1-operator\/\">Polyfill.io, BootCDN, Bootcss, Staticfile attack traced to 1 operator \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/blog.qualys.com\/vulnerabilities-threat-research\/2024\/06\/28\/polyfill-io-supply-chain-attack\">Polyfill.io Supply Chain Attack \u2014 blog.qualys.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/blog.cloudflare.com\/automatically-replacing-polyfill-io-links-with-cloudflares-mirror-for-a-safer-internet\">Automatically replacing polyfill.io links with Cloudflare\u2019s mirror for a safer Internet \u2014 blog.cloudflare.com\/\u2026<\/a><\/li>\n<\/ul>\n<h1>\u2757 Action Alerts<\/h1>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/plugins-on-wordpressorg-backdoored-in-supply-chain-attack\/\">Plugins on WordPress.org backdoored in supply chain attack \u2014 www.bleepingcomputer.com\/\u2026<\/a> (If use use these plugins, <strong>patch or remove immediately<\/strong>!)\n<ul>\n<li>Social Warfare 4.4.6.4 to 4.4.7.1 (fixed in version 4.4.7.3)<\/li>\n<li>Blaze Widget 2.2.5 to 2.5.2 (fixed in version 2.5.4)<\/li>\n<li>Wrapper Link Element 1.0.2 to 1.0.3 (fixed in version 1.0.5)<\/li>\n<li>Contact Form 7 Multi-Step Addon 1.0.4 to 1.0.5 (fixed in version 1.0.7)<\/li>\n<li>Simply Show Hooks 1.2.1 to 1.2.2 (no fix available yet)<\/li>\n<\/ul>\n<\/li>\n<li>A critical remote code execution bug has been found in the popular OpenSSH SSH server used in many Linux Distributions \u2014 <a href=\"https:\/\/isc.sans.edu\/diary\/rss\/31046\">isc.sans.edu\/\u2026<\/a>\n<ul>\n<li>Thankfully exploitation is not trivial, and it takes hours on 32-bit systems and appears to be effectively impossible on 64-bit systems<\/li>\n<li>Not all distributions were affected, so many Linux servers don&#8217;t need the patch<\/li>\n<li>If you have a Linux server, it&#8217;s worth making sure you&#8217;re fully patched!<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h1>Worthy Warnings<\/h1>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>Attackers were able to abuse an Authy API to effectively steal the cellphone numbers used for 2FA by over 33M users \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers\/\">www.bleepingcomputer.com\/\u2026<\/a> (the biggest danger is SIM-swapping to work around 2FA &amp; targeted phishing)<\/p>\n<\/li>\n<li>\n<p><a href=\"https:\/\/appleinsider.com\/articles\/24\/07\/03\/chatgpt-for-mac-app-logged-queries-in-an-unencrypted-file-before-getting-caught\">ChatGPT for Mac app logged queries in an unencrypted file before getting caught \u2014 appleinsider.com\/\u2026<\/a><\/p>\n<blockquote><p>\n  When everything is working the way it should on Mac, data should be siloed between apps so no single app can access another app&#8217;s data without APIs or user permission. ChatGPT decided to ignore Apple&#8217;s guidance and broke that structure by opting out of sandboxing and storing user conversations in plain text.\n<\/p><\/blockquote>\n<\/li>\n<\/ul>\n<h1>Notable News<\/h1>\n<ul>\n<li>\ud83c\uddea\ud83c\uddfa The European Commission has announced two very significant <em>Preliminary Rulings<\/em> under the Digital Markets Act (similar to indictments, the companies now have to argue their case):\n<ul>\n<li><a href=\"https:\/\/sixcolors.com\/link\/2024\/06\/preliminary-ruling-from-the-ec-declares-apple-is-violating-the-dma\/\">Preliminary ruling from the EC declares Apple is violating the DMA \u2014 sixcolors.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/thehackernews.com\/2024\/07\/metas-pay-or-consent-approach-faces-eu.html\">Meta&#8217;s &#8216;Pay or Consent&#8217; Approach Faces E.U. Competition Rules Scrutiny \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/teamviewers-corporate-network-was-breached-in-alleged-apt-hack\/\">TeamViewer&#8217;s corporate network was breached in alleged APT hack \u2014 www.bleepingcomputer.com\/\u2026<\/a> (the attackers do not appear to have breached the production service so users don&#8217;t appear to have been affected)<\/li>\n<li>Details have been released of a supply-chain attack against the popular CocoaPods software repository that left thousands of Mac &amp; iOS apps exposed to malicious code injection that was <strong>responsibly disclosed and remediated<\/strong> before anything bad could happen \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/24\/07\/03\/vulnerabilities-found-in-swift-repository-left-millions-of-apps-exposed-now-patched\">appleinsider.com\/\u2026<\/a> <\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/software\/proton-launches-free-privacy-focused-google-docs-alternative\/\">Proton launches free, privacy-focused Google Docs alternative \u2014 www.bleepingcomputer.com\/\u2026<\/a> (This passes Bart&#8217;s <em>follow the money<\/em> test)<\/li>\n<\/ul>\n<h1>Interesting Insights<\/h1>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>Troy Hunt has shared a duo of insightful pieces on the current state of data breaches\n<ul>\n<li><a href=\"https:\/\/www.troyhunt.com\/the-state-of-data-breaches\/\">The State of Data Breaches \u2014 www.troyhunt.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.troyhunt.com\/the-state-of-data-breaches-part-2-the-trilogy-of-players\/\">The State of Data Breaches, Part 2: The Trilogy of Players \u2014 www.troyhunt.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>A <strong>long<\/strong> but excellent description of the problems Apple needed to solve to keep Apple Intelligence safe and private, and how they solved them masterfully: <a href=\"https:\/\/tidbits.com\/2024\/07\/01\/how-apple-intelligence-sets-a-new-bar-for-ai-security-privacy-and-safety\/\">How Apple Intelligence Sets a New Bar for AI Security, Privacy, and Safety \u2014 tidbits.com\/\u2026<\/a> (by well respected security researcher Rich Mogull)<\/li>\n<\/ul>\n<h1>Palate Cleansers<\/h1>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>From Bart:\n<ul>\n<li>\ud83c\udfa7 A fascinating interview with <em>the Godfather of AI<\/em> who made news when he retired from Google and warned about the dangers of unregulated AI on his way out: <a href=\"https:\/\/overcast.fm\/+H2bgDxX70\">The Naked Scientists Podcast: Titans of Science- Geoff Hinton \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h1>Legend<\/h1>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">\ud83c\udfa7<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcca<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83e\uddef<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> \ud83d\ude42<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcb5<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udccc<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa9<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. The Snowflake supply-chain breach fallout continues with another big name: Neiman Marcus confirms data breach after Snowflake account hack \u2014 www.bleepingcomputer.com\/\u2026 (biggest danger seems to be targeted phishing) \ud83c\udde7\ud83c\uddf7 Meta&#8217;s plan to hoover up [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":28385,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[6701,6700,50,569,6699],"class_list":["post-31362","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-cdn","tag-polyfill","tag-security","tag-security-bits","tag-snoflake"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/31362","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=31362"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/31362\/revisions"}],"predecessor-version":[{"id":31370,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/31362\/revisions\/31370"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=31362"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=31362"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=31362"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}