Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC StormCast for Wednesday, September 24th 2014 http://isc.sans.edu/podcastdetail.html?id=4161

jQuery.com Compromise: The Dangers of Third Party Hosted Content

Published: 2014-09-23
Last Updated: 2014-09-23 23:29:03 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

jQuery is a popular Javascript framework, used by many websites (including isc.sans.edu) . jQuery provides many features, like easy access to webservices as well as advanced user interface features. When using jQuery, sites have the option to download and host the complete code, or let jQuery.com and it's CDN (Content Delivery Network) host the code.

There are two advantages in allowing jQuery.com to host the code:

  • Performance: Code is typically delivered faster, and a user may already have the code cached if they visited another site that used the CDN hosted copy of jQuery.
  • Automatic Updates: Updates to jQuery are pushed to the CDN by the jQuery developers, and a website using it will automatically receive the latest copy.

On the other hand, there is an important drawback, and the main reason why the jQuery code for isc.sans.edu is hosted on our own servers: With code being "blindly" included from 3rd party sites, it is possible that a compromise of this 3rd party site will affect your site's security.

Sadly, just this happened according to RiskIQ with jQuery.com [1]. The web site was compromised and malicious code was injected redirecting users to a malicious site. Luckily, the jQuery library was NOT affected. Otherwise, many additional sites would have been exposed and visitors to these sites would have been affected. This is in particular fortunate as the attack appears to be targeted. The redirection domain used in this attack was jquery-cdn.com . That domain was registered on the day the attack was first noticed.

Particulary concerning is the fact that I am unable to find any statement about the attack on jQuery.com . If someone has a link, please let me know.

[1] http://www.net-security.org/malware_news.php?id=2869

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
0 comment(s)
ISC StormCast for Tuesday, September 23rd 2014 http://isc.sans.edu/podcastdetail.html?id=4159

If you have more information or corrections regarding our diary, please share.

Recent Diaries

jQuery.com Compromise: The Dangers of Third Party Hosted Content
published 2 hours ago by Dr. J. (0 comments)

Fake LogMeIn Certificate Update with Bad AV Detection Rate
published 1 day ago by Dr. J. (5 comments)

iOS 7.1.x Exploit Released (CVE-2014-4377)
published 1 day ago by Dr. J. (2 comments)

Cyber Security Awareness Month: What's your favorite/most scary false positive
published 2 days ago by Dr. J. (1 comment)

Strange ICMP traffic seen in destination
published 3 days ago by Manuel Humberto Santander Pelaacuteez (1 comment)

PHP Fixes Several Bugs in Version 5.4 and 5.5
published 4 days ago by Guy (0 comments)

Web Scan looking for /info/whitelist.pac
published 5 days ago by Guy (3 comments)

Apple Phishing emails
published 5 days ago by Mark (0 comments)

Your online background check is now public!
published 6 days ago by Daniel (7 comments)

View All Diaries →

Latest Discussions

XSS vulnerability in opencms v9.0.1 workplace
created 4 days ago by Murali (0 replies)

RSS feeds broken in Sage
created 2 weeks ago by Madmanguruman (0 replies)

Brown Breach.. . UPS
created 4 weeks ago by ICI2Eye (0 replies)

So, how dead is antivirus exactly?
created 1 month ago by Safensoft (3 replies)

recommender system for network intrusion detection
created 1 month ago by BiSarfraz (2 replies)

View All Forums →

Latest News

View All News →