One Script Tag Just Pwn'd Over 100,000 Websites

preview_player
Показать описание
Polyfill dot io is compromised. The results are terrifying. Everyone from Hulu to The Guardian to Intuit is currently pwn'd.

SOURCES

S/O Ph4se0n3 for the awesome edit 🙏
  1. Theo - t3․gg
  2. web development
  3. full stack
  4. typescript
  5. javascript
  6. react
Рекомендации по теме
One Script Tag 0:16:04

One Script Tag Just Pwn'd Over 100,000 Websites

Triple printf exploit 0:20:04

Triple printf exploit for libc leak and one_gadget - LACTF2023 - pwn/rickroll

Write Once, Pwn 0:49:46

Write Once, Pwn Anywhere

This is how 0:08:05

This is how Hackers can *OWN YOU* with just a link!

Beginner Series: Web 0:51:24

Beginner Series: Web Exploitation

GlacierCTF 2023 Challenge 0:45:01

GlacierCTF 2023 Challenge Writeups (4x Warmup, 3x Web, 2x Pwn)

10 security vulnerabilities 0:40:38

10 security vulnerabilities every JavaScript developer should know

Web Security - 1:02:24

Web Security - CSE365 - Muhilan - 2024.04.04

Python Pwntools Hacking: 0:44:49

Python Pwntools Hacking: ret2libc GOT & PLT

Action Anomalies: A 0:49:17

Action Anomalies: A Hackers Guide To Github Actions - Elliot Ward

Hackappatoi CTF 2023 0:39:44

Hackappatoi CTF 2023 (5 pwn, 4 rev, 3 web)

DEF CON 24 0:44:57

DEF CON 24 - Alex Chapman and Paul Stone - Toxic Proxies: Bypassing HTTPS

Identifying Novel Malware 0:43:59

Identifying Novel Malware at Scale w/ Pedram Amini - SANS HackFest & Ranges Summit 2020

Web - A 0:20:40

Web - A Payload to rule them all - Pwn2Win [Walkthrough]

DEF CON 31 0:34:09

DEF CON 31 War Stories - A Series of Unfortunate Events - Ben Sadeghipour, Corben Leo

Pwning the CI 0:28:21

Pwning the CI (with GitHub Action Workflows) - Stephen Giguere, Bridgecrew

OWASP AppSecUSA 2014 2:26:27

OWASP AppSecUSA 2014 - Breakers Track - Friday

how to get 0:20:08

how to get remote access to your hacking targets // reverse shells with netcat (Windows and Linux!!)

Redmonk Immunio XSS 0:25:00

Redmonk Immunio XSS moderated screencast

3 HACKING gadgets 0:19:34

3 HACKING gadgets you have to TRY!!

309 Smuggling Plums 0:48:35

309 Smuggling Plums Using Active Defnse techniques to hide your web apps from your attackers and the

Security Professional’s Toolbox: 0:58:47

Security Professional’s Toolbox: Semi-automated Pentesting with Open Source Tools

DerbyCon 3 0 0:49:31

DerbyCon 3 0 1105 Practical Exploitation Using A Malicious Service Set Identifier Ssid Deral Heiland

Network Pivot & 1:52:19

Network Pivot & Pen Testing by Phillip Wylie

Комментарии
Автор

New idea for an ad blocker: Injecting Polyfill script tags into site

bluepilkinton-ching
Автор

"Isn't NPM the same? There are a million who-knows-whats in my module directory. It took 30 minutes just to delete dependencies that depend on dependencies, a million times over.

BobKane-gx
Автор

15:45 the reason they didn't pin it to a specific hash is the most dangerous thing about pollyfill, it changes based on user agent. Each user may be served a different js file, so you can't pin the script to a specific hash. They give full control of what may be PAYMENT PAGES to a script that randomly changes BY DESIGN! Don't embed things like pollyfill, even if you don't have evidence of it being compromised.

Mitch-xord
Автор

Working in one of the largest bank of Australia. I told my manager about this polyfill thing he was still not convinced after your tweet . Now sharing this video to him. Reason being i am having 2 yrs if experience while he is industry for last 15 yrs.

ankiy
Автор

Damn. I had no idea. Terrifying knowing how when repos like Polyfill are bought by different companies, they can do what they please with what they own, whether for the good or not. In most cases, the company that takes over has good intentions, but in the case of Polyfill, it's clear that this wasn't the case.

ITAC
Автор

Moral of the story: self-host everything, don’t rely on anything external. Even for something as harmless and innocuous as a CDN like JSDelivr, there are implications. What if JSDelivr is down the day your site goes viral, to name one example?

owenwexler
Автор

Using non-checksumable external libraries is a terrible idea? Who would have thought!

nordern
Автор

To be fair: even before Chrome, Firefox had already put significant pressure on Internet Explorer, Safari and Opera to embrace standards (although to be really fair, IE was the only real problem child). Chrome was just doing what Firefox already started but with the leverage of better UX and more marketshare. I am glad they killed the old web.

timseguine
Автор

And this is why I never deploy production code that calls a third-party CDN. If you're doing that, you are trusting that third party to send you the script you're expecting every time someone loads the page. But they absolutely could send you literally whatever they want instead.

Cyanide
Автор

Its wild that they got the github repo too? Like idk that seems weird.

Sandromatic
Автор

I love how the thing says JSTOR is being affected by the polyfill hack and you're like "cool, let me go open that right now".

insylogo
Автор

I would expect the Cloudflare status page to be running outside of their CDN infrastructure to keep it available during outages so it isn't entirely surprising that they came up with an easy way to avoid the issue and forgot to apply it to that separate part of their systems.

It should definitely be on a bunch of checklists now though so that nobody will forget about it for a while.

ThePCJohnson
Автор

You passed over nintendo in that list, holy f u c k

ShayBlez
Автор

6:15
I love the TOS going "Oopsies, we may give you a virus, we cant know for sure!!, 1!! Plz check urself for any viruses we may or may not have put on your website!!!111!, "

BattyBest
Автор

6:20 are they suggesting developers to embed an antivirus on their website?

RedStone
Автор

Where does Theo gets his shirts? They look terrific

StagnantWaterDolphin
Автор

For the cloud flare status page, I'm assuming they can't serve that page using their caching/rewriting layer - if there's a problem with the core service and the status page is proxied by it, nobody would be able to view the status.

CharlesBallowe
Автор

so as a new new dev I'd been wondering for a while about the security of CDNs and cross-site linking which, back in the day was almost exclusively an attack method, that I keep being instructed to use. Is the benefit of not serving a 20kb css or js file yourself really worth it?

paultapping
Автор

Thanks for this, as a developer, I have removed this from my web project. The sad thing is a lot of Bootstrap templates have this as a default and I just use it, well into now.

waynehawkins
Автор

The way I snickered when you @'d hulu.... that is rich lol

tabsc