Hacker News new | past | comments | ask | show | jobs | submit login

Nice to read text on a clever find.

Could somebody please confirm or invalidate my understanding, that this backdoor is just exploitable in addition with other (severe) issues?

An attacker would have to have the ability to tailor/manipulate JS scripts which should be under control of the victim?

Or am i mistaken?




That's correct. I did not discover vulnerabilities in existing libraries or add backdoors to any of them. :)

The attack scenario described in the post is (1) attacker writes some plausible-looking patches to an existing library like jQuery, (2) attacker convinces library maintainer to merge the patches, (3) someone builds the library with a buggy minifier, which creates the actual backdoor.


It's interesting all the same, It's kind of why exploits in very popular things like wordpress become problematic for so many for so long.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: