jQuery.com Compromised To Serve Malware

← Back to Stories (view on slashdot.org)

jQuery.com Compromised To Serve Malware

Posted by timothy on Tuesday September 23, 2014 @04:01AM from the send-you-this-query-to-have-your-advice dept.

An anonymous reader writes jQuery.com, the official website of the popular cross-platform JavaScript library of the same name, had been compromised and had been redirecting visitors to a website hosting the RIG exploit kit and, ultimately, delivering information-stealing malware. While any website compromise is dangerous for users, this one is particularly disconcerting because of the demographic of its users, says James Pleger, Director of Research at RiskIQ.

17 of 103 comments (clear)

Min score:

Reason:

Sort:

They will never learn by drinkypoo · 2014-09-23 04:03 · Score: 4, Interesting

People get upset when you call them incompetent for sourcing stuff out to foreign CDNs, but stuff like this happens all the time. It's not safe to pull stuff in from other sites for reasons which are obvious to anyone competent.

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
1. Re:They will never learn by _xeno_ · 2014-09-23 04:16 · Score: 5, Informative
  
  According to the article, the library itself wasn't affected.
  Plus most people don't use jQuery.com as a CDN. Instead jQuery recommends you use Google's CDN if you want to use a CDN for jQuery.
  Of course, this is still bad - I visit jQuery.com fairly frequently to check the documentation. The article doesn't say what was required for the malware to run so I have no idea if I was vulnerable to it or not, but if it was dropped on all pages and not just the home page, I definitely could have been hit by it.
  
  --
  You are in a maze of twisty little relative jumps, all alike.
2. Re:They will never learn by Dracos · 2014-09-23 04:20 · Score: 4, Informative
  
  You're speaking of the wrong "they". jQuery.com runs WordPress: that's the incompetence. If I had a nickel for every WP-based exploit or compromise, I'd have about $50, and I'm pretty sure this is another one.
3. Re:They will never learn by gandhi_2 · 2014-09-23 04:33 · Score: 3, Interesting
  
  Every mass-use CMS has had exploits. Even wtihout the plugin exploit problems.
  
  --
  THL phish sticks
4. Re:They will never learn by pooh666 · 2014-09-23 04:47 · Score: 3, Insightful
  
  What makes YOUR site so safe?
5. Re:They will never learn by tlhIngan · 2014-09-23 06:01 · Score: 2
  
  Plus most people don't use jQuery.com as a CDN. Instead jQuery recommends you use Google's CDN if you want to use a CDN for jQuery.
  While the recommendation may be there, I can tell you that is NOT the case. Far too often if you use NoScript, "jquery.com" is listed right there as a necessary script for the website to work.
6. Re:They will never learn by RabidReindeer · 2014-09-23 06:11 · Score: 2
  
  Why do you use 85k of javascript when 25 lines of pure javascript will do?
  Because they're really, really nasty lines of Javascript. And the same 25 lines won't work on all the different web clients.
7. Re:They will never learn by lennier · 2014-09-23 09:42 · Score: 2
  
  My site is not particularly safe. I'm using specious hosting
  
  That's nothing, I've implemented an entire fallacious reasoner on a casuistic cloud architecture using sophistic inferencing. I'm pretty confident in the results I'm getting.
  
  --
  You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
8. Re:They will never learn by Just+Some+Guy · 2014-09-23 10:12 · Score: 3, Informative
  
  The purpose for parking JavaScript on a CDN is so that your visitors are likely to already have it in their cache. A million sites referring to the same URL is far more resource friendly than 10,000 sites hosting their own copy.
  
  --
  Dewey, what part of this looks like authorities should be involved?
9. Re:They will never learn by plcurechax · 2014-09-23 11:18 · Score: 2
  
  What makes YOUR site so safe?
  I used FrontPage to create it, and host it on MySpace.
10. Re:They will never learn by Just+Some+Guy · 2014-09-24 05:06 · Score: 2
  
  But if you and I are using the same library, why make the visitor fetch and store it twice? That's a slower startup for both of our sites. Multiplied across hundreds of thousands of jQuery-using instances, it adds up.
  The fastest GET is the GET which need not be made.
  
  --
  Dewey, what part of this looks like authorities should be involved?
wow.... by gandhi_2 · 2014-09-23 04:12 · Score: 4, Funny

did I just hear some relevent news on slashdot before i saw it on twitter?
today is a bright, shiney day!

--
THL phish sticks
The key piece of info that you need to know by Fnord666 · 2014-09-23 04:13 · Score: 4, Informative

The key piece of info that you need to know is this:

The only good news in all of this is that there is no indication that the jQuery library was affected.

--
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
More reason for Requestpolicy by TheCarp · 2014-09-23 04:20 · Score: 2

This is exactly the sort of reason I run requestpolicy, and jquery is always one of the ones I hate seeing because I know what it means to allow so many sites to talk to load code the same one, so it only ever gets a temporary exception, same for googleapis.

--
"I opened my eyes, and everything went dark again"
1. Re:More reason for Requestpolicy by pjt33 · 2014-09-23 05:05 · Score: 4, Informative
  
  If you're that worried about it, why don't you run a local mirror and point your hosts file at it?
Always assumed it was ... by gstoddart · 2014-09-23 04:25 · Score: 2

I have always treated it like it's an external 3rd party, not the web site I'm visiting, and therefore not an entity I trust.
I've always viewed jquery as about as trusted as doubleclick or scorecardresearch. I don't know or care what you do, I didn't visit your site.
But then, I've learned not to trust the web in general.
With so many sites using this, dumping malware into it means you can get a whole lot of sites easily ... making this a fairly obvious target.

--
Lost at C:>. Found at C.
Re:Thats not good. by Jason+Levine · 2014-09-23 04:30 · Score: 3, Interesting

Except they've said that the library wasn't affected. So it would just be people who went to the jQuery website... like I did a couple of days ago. :-O

--
My sci-fi novel, Ghost Thief, is now available from Amazon.com.