
Ask HN: How does a JAMstack website like Smashing Magazine get hacked? - b0ner_t0ner
So Smashing Magazine got hacked yesterday[1] and I was quite surprised by this because they&#x27;ve moved off WordPress 3 years ago and have been promoting JAMstack ever since for its performance and security.<p>I doubt they will be doing a post-mortem on this, but where would the entry point be? A weak GitHub account without two-factor authentication or something else?<p>[1] https:&#x2F;&#x2F;twitter.com&#x2F;tonyciccarone&#x2F;status&#x2F;1261100239206957056
======
rshnotsecure
1\. Keyloggers written entirely in CSS have been demonstrated for some time
now [a]

2\. Malicious Javascript could have been embedded into their CI/CD pipeline
and made it onto the site.

3\. Somehow stealing SSH keys from a developer and simply logging into the box
to change things at the OS level. In fact, it looks like at least one
subdomain of theirs is hosted on GoDaddy. SSH keys for some of their customers
were recently compromised. Note that I don't think this actually happened, but
wanted to list. [b]

4\. Smashing Magazine could also improve security by adding the Expect-CT,
Feature Policy, and especially a Content Security Policy. Ironically a
Smashing Magazine article from 2017 mentions at least having a CSP. [c,d]

5\. I recall some speech by the NSA at DEFCON, I think in 2012 or something.
One of their speakers said that for all the cool stuff they do...95% of this
time it's just password reuse that gets people or phishing for credentials.
This would seem to me the most likely way and the best investment of a hackers
time.

[a] - [https://css-tricks.com/css-keylogger/](https://css-tricks.com/css-
keylogger/)

[b] -
[https://www.theregister.co.uk/2020/05/05/godaddy_ssh_login_d...](https://www.theregister.co.uk/2020/05/05/godaddy_ssh_login_details_compromised/)

[c] - [https://www.smashingmagazine.com/2017/04/secure-web-app-
http...](https://www.smashingmagazine.com/2017/04/secure-web-app-http-
headers/)

[d] - [https://www.keycdn.com/blog/http-security-
headers](https://www.keycdn.com/blog/http-security-headers)

------
seanwilson
JAMstack doesn't make you invulnerable but it removes some big surface areas.

You've still got to secure e.g. your hosting account, DNS account, Git
account, comment system (against injection attacks). Phishing attacks aren't
going to go away.

------
chrismeller
Most of Ourmine’s prior attributed hacks seem to involve compromising an
account - whether the original or an email account with it that allows them to
reset a password.

Someone else mentioned that at least one sub domain is hosted by Godaddy, and
that seems like a very easy target.

------
stakkur
Surely this is their hosting provider getting hacked, not the 'site'?

