So a few months ago we learned that the individual running polyfill.io silently sold the service to an obscure chinese company.
This popular (and well done / very useful) service was created by the Financial Times, who stopped maintaining it and "donated it to the community", meaning that it relied on a few volunteers to continue running it (and on Fastly who provided the hosting for free). 1/7
Maintaining an Open Source project is hard work, lot of pressure, very often no money, and many many people end up being burned out.
Then, sometimes, a company comes up and offers you a large sum of money for it, enough for you to live a better life and never have to feel this pressure, and you accept. This is nowadays very common for browser extensions, can you guess why? 2/7
Over the years, I have received many proposals to monetize this extension so I think I'll just start posting them here for fun (but not for profit). The main reason I continue to maintain this exte...
If you are using the polyfill.io service for your website, you may want to reconsider. This was an amazing product, but the last maintainer sold the project and the domain to a China-based company without warning, and the domain is now pointing to a chinese IP running unknown code. Birdside announcement by the project original author: https://twitter.com/triblondon/status/1761852117579427975 More context in a GitHub issue: https://github.com/polyfillpolyfill/polyfill-service/issues/2834
Now, a few months after that, this domain is serving actively malicious Javascript into the websites using it. They inject some malware into websites, redirecting users to sport betting websites. But they could easily also siphon everything your users enter on the website, change their content… 6/7
More details here: https://sansec.io/research/polyfill-supply-chain-attack
This is very unfortunate, but will continue to happen until we figure out how to make money-makers (= companies) properly finance the OSS they are relying upon, and getting maintainers out of burnout.
And if you made it to the end, congratulations! Here is a donation link to send some money to Mastodon, which also suffers from this lack-of-money problem: https://joinmastodon.org/sponsors 7/7
Addentum: this is also a reminder to check what browser extensions you have installed, what permissions they have, and really care about this.
I understand that some decisions by browsers to limit what extensions can do (Chrome Manifest v3 for example) can really be frustrating as they will make extensions like uBlock Origin not work as well, but also keep in mind that this is an open field for malicious actors as well.
@renchap One of the things I am the most stubborn about at work is that we disable users installing browser extensions. We have a tightly managed allowlist and all other extensions are blocked.
Extensions need to be trusted at the level of "I want this extension to see my bank password"... because it probably will.
to my followers: there’s some really important information in this thread if you can disregard the casual anti-chinese racism! sorry to put this in your feeds but the short version is you should probably just uninstall every browser extension.
i turned down a monthly living wage (privilege checked, and no it would not have lasted) for my last extension and i don’t regret it for a second.
@renchap I'm all for funding OSS etc but you could also avoid this quite easily by having self-hosted the code, not loading it from their CDN.
Sites loading things from CDNs they don't control is very very bad.
(There is some mitigation via subresource integrity hashes but still not always used out there in the wild.)
@renchap Hmm... so SRI would be no good either. I can see why people would want to do this, but just not worth the security trade-off.
(Some hindsight here but hope that today any service that might send some different JS based on user-agent/etc would raise a red flag.)
Perhaps we should change the open source licensing model in such a way that, as soon as it runs on AWS or Azure, it is not for free anymore.
So that is why all the OpenSource licenses itself should change. A fork would have the same restrictions for AWS and Azure then.
(I know it's wishthinking)
Genteeeee.
Tem coisas aqui que não entendo bulhufas.
É o mesmo que ler Esperanto.
Are there any altruistic services out there that scan Google or other indexes of the web to find known JavaScript vulnerabilities like this and notify the owners? Maybe that's just far too big a job.
@renchap Actually you'd think this might be something Google could provide as a feature for those who have webmaster accounts with them - this must be a high percentage of the non-hobbyist websites out there. It could have a free tier and then charge for websites over a certain click through rate or crawl rate or something.
But I'm not sure Google are really interested in public service innovation any more.
The recent large scale supply chain attack conducted via multiple CDNs, namely Polyfill.io, BootCDN, Bootcss, and Staticfile that affected up to tens of millions of websites has been traced to a common operator. Researchers discovered a public GitHub repository with leaked API keys helping them draw a conclusion.
@renchap God it reminds me how I got various emails about partnering with some companies that add ads or want to use client devices as exit nodes for their VPN service, for my android app, dns66.
No straight up take over offers though.
https://www.joelonsoftware.com/2001/10/14/in-defense-of-not-invented-here-syndrome/
“The Excel development team will never accept it,” he said. “You know their motto? ‘Find the dependencies — and eliminate them.’ They’ll never go for something with so many dependencies.”
In-ter-est-ing. I hadn’t known that. I guess that explained why Excel had its own C compiler.
Batsify
Renaud Chaput
ocdtrekkie
stevewozniak
Tom Walker
ikesau
Eelco Mulder 
🇪🇺
sobkas
Hein Ragas
Paulo Mattos
Steve Hill 🏴🇪🇺
chmod 777 Kayfox
Hugo
Orca 🌻 | 🎀 | 🪁 | 🏴🏳️⚧️
robin
marcus 
😷
Julian Andres Klode 🏳️🌈
mirabilos
mosher
LisPi
Resuna
(((Klefstadmyr)))