malicious javascript injected into 100,000 websites
201,380
Published 2024-06-28
Issue: github.com/polyfillpolyfill/polyfill-service/issue…
Writeup: lyra.horse/blog/2024/05/exploiting-v8-at-openecsc/
🏫 COURSES 🏫 Learn to code in C at lowlevel.academy/
📰 NEWSLETTER 📰 Sign up for our newsletter at mailchi.mp/lowlevel/the-low-down
🛒 GREAT BOOKS FOR THE LOWEST LEVEL🛒
Blue Fox: Arm Assembly Internals and Reverse Engineering: amzn.to/4394t87
Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation : amzn.to/3C1z4sk
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software : amzn.to/3C1daFy
The Ghidra Book: The Definitive Guide: amzn.to/3WC2Vkg
🔥🔥🔥 SOCIALS 🔥🔥🔥
Low Level Merch!: lowlevel.store/
Follow me on Twitter: twitter.com/LowLevelTweets
Follow me on Twitch: twitch.tv/lowlevellearning
Join me on Discord!: discord.gg/gZhRXDdBYY
All Comments (21)
-
javascript? NO THANKS. learn ASSEMBLY at lowlevel.academy/ (and get 20% off)
-
btw mozzila uses spider monkey not v8
-
Every project that uses NPM is basically a security problem too. Like setup a basic project and you already have a billion dependencies nobody knows what they do.
-
when the child says googie : 🥰 when the hacker says googie : 💀
-
Web dev here. Although V8 hack is possible, I am almost certainly sure this code is actually intended to still user sessions, user input or any other security tokens etc. It's especially useful if you get admin session or credentials on things like wordpress, as from that you can hack the server and use it as a bot farm for DDOS or hoping that wp will give you access to other systems.
-
The web is the only place where it's generally accepted to run 100k lines of code* to render text Disclaimer: If you're reading this as a smart expert: I'm talking about application code. We have abstractions for a reason 🙂
-
The code is pretty easily de-obfuscated. All it does is attempt to redirect you to other (probably malicious) websites. It has a few interesting features, like its own custom base64 decoder, its own implementation of RC4, and some code to check if you have an admin cookie set (probably so it won't redirect the developer.) But it's definitely not some kind of memory exploit.
-
Another reason why we don’t use 3rd party libraries or cdn’s. you can’t secure what you don’t control
-
Firefox uses gecko not V8, its their own engine and one of the main reasons we need it alive. V8 is however, really optimized at this point.
-
Lol, nope. Firefox don't use V8. Being the inventor of JavaScript, they use the engine they developed during Netscape's heyday. Mozilla has maintained it ever since. That is specific to Chromium-based browsers.
-
If you are including scripts from a CDN, you should always use the