Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2014-09-23 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free! Compromise: The Dangers of Third Party Hosted Content

Published: 2014-09-23
Last Updated: 2014-09-23 23:29:03 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

jQuery is a popular Javascript framework, used by many websites (including . jQuery provides many features, like easy access to webservices as well as advanced user interface features. When using jQuery, sites have the option to download and host the complete code, or let and it's CDN (Content Delivery Network) host the code.

There are two advantages in allowing to host the code:

  • Performance: Code is typically delivered faster, and a user may already have the code cached if they visited another site that used the CDN hosted copy of jQuery.
  • Automatic Updates: Updates to jQuery are pushed to the CDN by the jQuery developers, and a website using it will automatically receive the latest copy.

On the other hand, there is an important drawback, and the main reason why the jQuery code for is hosted on our own servers: With code being "blindly" included from 3rd party sites, it is possible that a compromise of this 3rd party site will affect your site's security.

Sadly, just this happened according to RiskIQ with [1]. The web site was compromised and malicious code was injected redirecting users to a malicious site. Luckily, the jQuery library was NOT affected. Otherwise, many additional sites would have been exposed and visitors to these sites would have been affected. This is in particular fortunate as the attack appears to be targeted. The redirection domain used in this attack was . That domain was registered on the day the attack was first noticed.

Particulary concerning is the fact that I am unable to find any statement about the attack on . If someone has a link, please let me know.


Johannes B. Ullrich, Ph.D.

1 comment(s)
Diary Archives