
Building a backdoor with Node.js - lirantal
https://snyk.io/blog/what-is-a-backdoor/
======
peter_d_sherman
Excerpts:

"So the only requirement for the victim is to install the library browser-
redirect and add it to Express app, like a regular middleware:"

[...]

"I [Article Author] just published the malicious package to npm using npm
install browser-redirect@1.0.2. _However, in Github you can’t see the
malicious code_ — see Master Branch and release 1.0.2. The reason for this is
because npm does not check against Github or any other source control
repository."

Security Perspective Takeaways:

1) Downloading and building source code, where authentication is performed
between the downloaded source and the exact GitHub branch (rather than
downloading a pre-built package or even source code where this branch
authentication is not performed) would at least guarantee that the source code
could be matched to the source on github, and could be subsequently audited...

2) The broader class of this attack (which includes such things as Windows
Update, software auto-updaters, installers and package managers - both Windows
and Linux) is basically: download malicious code - inside of a (user) believed
non-malicious binary or library...

3) There are some very strong arguments here towards:

    
    
       a) Always use open source for whatever you can;
    
       b) Always download and compile the source for whatever you can;
    
       c) Always audit source that you've downloaded...
    

I know; easier said than done...

~~~
dlivingston
Currently, I’m building a very simple webpage using Gatsby.js for a project
I’m on.

It only has around 10 direct dependencies, but if I look in the node_modules
folder...760 distinct modules required in the dependency graph.

Should I be doing security audits on every single one of the 760 modules?

~~~
ryukafalz
>Should I be doing security audits on every single one of the 760 modules?

Yes, ideally.

I know this isn't practical. The fact that you have so many dependencies and
any one of them could do something bad should be a sign that something is
deeply wrong in the ecosystem.

~~~
dlivingston
The JavaScript ecosystem is famous for bloat like this. Python is much better,
though there is still an O(n^m) dependency tree. Languages like C/++ and
FORTRAN commonly have effectively O(n) dependency trees.

I suspect it’s related to the ease of use to add new libraries/modules.

------
cryptica
The problem with Snyk and other automated vulnerability detection tools is the
rate of false positives. For my open source library, the false positive rate
so far (over many years) has been 100%. Not one of the many reports pointed to
a single exploitable vulnerability in my library.

The reason is that a lot of vulnerabilities are context-specific. For example,
a common one in JavaScript is Object prototype pollution; this is not an issue
at all if the affected function is only used with trusted input.

Just because a function is vulnerable under a certain specific condition, it
doesn't mean that it's generally vulnerable.

That's like saying that chainsaws have a critical security vulnerability on
the basis that if you put your foot in front of it, you will be badly
harmed... and then you use this as justification to warn millions of tree
removal experts (and their customers too) all around the world that their
businesses are critically vulnerable and fundamentally unsound because they
happen to use chainsaws.

The other common problem is when it flags a vulnerability with a specific
function within a library, but that function is not actually used by the
project. It's not fair to label all downstream projects as vulnerable on the
mostly false assumption that the project actually uses the vulnerable part of
the code.

I think Snyk does this because it gets them attention and that's how they turn
a profit, but they have to get wiser because this strategy is compromising the
quality of their service.

------
akoumjian
Really astounding to see them publish this article today. I have a CVE that's
about to go live regarding auditing tools like this one.

I contacted Snyk a week ago to point out that their audit tool (just like npm
audit, and others) cannot fundamentally protect you from attacks like this
when installed to the same environment as a malicious package. Almost feels
like they are trying to get ahead of it.

I was withholding the CVE while other tools are wrapping up their mitigation
strategy. NPMJS and Snyk folks basically shrugged their shoulders. This is
kind of forcing my hand to publish now.

Well, here is the blog post explaining:

[https://mulch.dev/blog/CVE-2020-5252-python-safety-
vuln/](https://mulch.dev/blog/CVE-2020-5252-python-safety-vuln/)

And here is the snyk proof of concept:

[https://github.com/akoumjian/npm-audit-
vuln](https://github.com/akoumjian/npm-audit-vuln)

TLDR; Don't ever use the `npm install` version of Snyk. Use the binaries or
the dockerized version.

~~~
akoumjian
Here is PyUp (safety) response: [https://pyup.io/posts/patched-
vulnerability/](https://pyup.io/posts/patched-vulnerability/)

------
philplckthun
One can hope that with GitHub supporting signed commits and signed tags that
now that they’ve acquired npm there’ll be a way to match up a signed release
with an npm release.

Signed releases on npm in general would be a start as then we could at least
increase the reliability of security vulnerability notifications.

That being said, as pointed out in another comment, the amount of false
positives for instance for regex vulnerabilities in libraries that are only
used in the devDependencies of a repository are too high.

------
cj
Slightly off topic (but considering this is promo article from Snyk):

What is the value of Snyk now that Github and NPM have built-in dependency
security audits?

I was a customer of Snyk before auditing was built in to NPM / Github (and
before Snyk's price shot up to $750/mo for private repos). Was always confused
how they justified that price point now that their main value prop is built in
to npm for free.

------
LockAndLol
Bud, screen-space is scarce. Why does that header permanently take up a third
of vertical space?

~~~
ravenstine
_What if you 're halfway down the page but you want to click to another page
on the site? How else are you to do that unless the nav menu is on the screen
all the time???_

Sticky headers are stupid and annoying. Easily the worst UX pattern in the
last decade. I bet no one has even tested to see whether they even increase
"engagement".

~~~
dylan604
how about something less sinister like not designed for mobile first, and it
looks just fine on a desktop with plenty of pixels to be used? like everything
else in the world, a decent idea implemented badly makes the idea look bad.
also, opinions are like noses. everyone has one and they all smell.

------
w-ll
Why Node? Why make a backdoor with a 90MB payload?

Sorry guys, I should have fully read the article.

~~~
bryanrasmussen
either because they think they have a bigger potential audience if Node is
used, or because Node is what they know best.

~~~
ufmace
I think you can make a case that Node/NPM is more vulnerable to this than
usual due to the huge number of packages pulled in by even simple
applications. Can anybody really audit what 10k different packages are doing,
and if any of them has had malicious code snuck in at some point?

~~~
eeZah7Ux
It's not just more vulnerable, it's incredibly so.

~~~
wesleytodd
Which platform do you use which does not rely on large amounts of open source
libraries?

~~~
okareaman
Powershell has a security model. Also, Ryan Dahl (creator of node.js) is
working on Deno as a replacement because he thinks he made a mistake with
node.

10 Things I Regret About Node.js - Ryan Dahl
[https://www.youtube.com/watch?v=M3BM9TB-8yA](https://www.youtube.com/watch?v=M3BM9TB-8yA)

~~~
wesleytodd
Ryan is one person and not involved with node anymore. Deno also has many
mistakes IMO, so fine to agree to disagree on this one.

~~~
okareaman
Interesting. You think he is making mistakes again? He complains about "second
system syndrome." I've been using Deno for hobby projects and find a lot to
like about it.

