Public Service Announcement: Stop Using polyfill dot io

2024-06-26 01:00 pm
mdlbear: blue fractal bear with text "since 2002" (Default)

If you happen to be developing websites using the polyfill.io javascript library, drop everything and DELETE IT NOW! The domain was purchased by what's said to be a Chinese malware organization, which is using the library to redirect users to sport betting websites. More at

@ solarbird | if you use polyfill dot io, stop RIGHT NOW and read this @ Renaud Chaput: "polyfill.io malware injection" - Oisaur @ Remove Polyfill.io code from your website immediately • The Register @Polyfill.io JavaScript supply chain attack impacts over 100K sites

... and a tip of the hat to solarbird, who put me on to this.

If you develop websites using a framework or javascript library but you're not sure what a polyfill is, search your codebase for the string "polyfill.io". Then look it up and either eliminate it as a dependency, or find a different place to fetch it from.

This, BTW, is one more reason to like Chris Ferdinandi's's Daily Developer Tips | Go Make Things.

  • Mood: informative
  • Location: A rapidly deteriorating situation
Tags:

A flash of evil / GIP

2008-01-16 03:18 pm
mdlbear: (technonerdmonster)
This article in InfoWorld points to a particularly disturbing article and accompanying FAQ:
The code, published over the weekend by researchers Adrian Pastor and Petko Petkov, exploits features in two technologies: The UPnP (Universal Plug and Play) protocol, which is used by many operating systems to make it easier for them to work with devices on a network, and Adobe Systems' Flash multimedia software.

By tricking a victim into viewing a malicious Flash file, an attacker could use UPnP to change the primary DNS server used by the router to find other computers on the Internet. This would give the attacker a virtually undetectable way to redirect the victim to fake Web sites. For example, a victim with a compromised router could be taken to the attacker's Web server, even if he typed Citibank.com directly into the Web browser navigation bar.
The InfoWorld article's title is "Flash attack could take over your router", but it's really much more general than that: a maliciously-crafted flash movie could theoretically take over any UPnP device as long as it could guess its local IP address. Routers just happen to be ubiquitous, and come with only a limited number of default setups.

Turn off UPnP on any device where it's not absolutely essential. The article says, "Users could avoid this attack by turning UPnP off on their routers, where it is normally enabled by default, but this would cause a variety of popular applications, such as IM software, games, and Skype, to break and require manual configuration on the router", but it's not as bad as all that. Skype, IM, and games work perfectly well on my kids' Windows boxes, and my router is a Linux box without UPnP.

Not surprisingly, Microsoft is a major promoter of UPnP -- it stands for "Universal Plug and Play" and, like so many "features" from Microsoft, it's supposed to make things easier for their users. If they made cars, they'd all have the same key because somebody with two cars might get them mixed up.

Gratuitous Icon Post: The icon comes from the print I bought recently from [livejournal.com profile] ohiblather's shop on deviantART.
Tags:

Most Popular Tags

Links

Syndicate

RSS Atom

Style Credit

Page generated 2025-06-22 08:06 am
Powered by Dreamwidth Studios