Wednesday, January 10, 2018

npm and new cities for trojan horses

I’m harvesting credit card numbers and passwords from your site. Here’s how. is an all-too-plausible sounding way credit card stealing code could be inserted into a popular site; the tl;dr is "reasonably clever code to steal from typically named fields inserted as a npm dependency utility for a framework, with a few other masking techniques applied". (In this case a colors-in-the-console library.)

The person who posted it at work mentioned its similarity to Reflections on Trusting Trust, a seminal ACM piece by Ken Thompson - how a compiler could be warped to detect login-program-looking C code and produce a binary with a gaping security hole.

Because I find writing simple code to do simple things - even when it is code I've basically written before - often more satisfying than learning how to use someone else's code to do the same thing, I'm at bad risk for NIH (Not-Invented-Here) syndrome, where I say "Make Vs Buy? Let's Make!" as a kneejerk response. But with links like that first one, and the story where removal of an 11-line "left-padding" module broke the build for a thousand places... I have mixed feelings about my own biases being confirmed that way.

No comments:

Post a Comment