Posts

Financial Risk - Carefully Evaluating Open Source Code

avatar of @codingdefined
25
Coding Defined
@codingdefined
·
0 views
·
2 min read

So as a developer we try to use many open source packages to not reinvent the wheel that means to use what is already there and not write on our own. NodeJS developers mainly rely on the NPM package manager to use some of the packages whereas Dot Net developers use Nuget packages. There are some packages that are being used heavily for example UAParser.js which has weekly downloads of more than 8 million.

There is a financial risk to many people who are actually using the code. We all use so many websites and I guess almost all the new websites use the package in one way or the other. Think about the scenario where one of the websites which you have visited have a security risk, it will give away all your passwords, cookies and everything and the hackers can steal the money from you. So it is one of the responsibilities of the developers to keep your website free from something which can attract this type of attack.

The problem is we actually do not go to the package code and see what exactly the code does and we have to rely on the package developer for security evaluation. Now, if the package contains malicious code it will be transferred to all the system which has the package and thus all the system will be compromised.

On 22nd October, UAParser.js's owner account had been hijacked and the attacker has pushed new versions which were containing the malicious code. That code was actually stealing the passwords and chrome cookies from all the systems and also it was running the crypto-miner program in all the systems. As I have already mentioned it was one of the popular libraries so it was easy for the hijacker to send malicious code to millions of people at once, once they upgrade their package.

One of the reasons this happened and will happen in the future is that we developers are lazy and we do not want to check the security of the package. Now the problem will start more and more when the attackers will find a way to hijack more such packages. One thing we can do is to check a package (some version) for security and then use it for our project. We should stick to that version and not upgrade all the time, in that way we will be sure that we are using the tested code. In this way you know you will be running the exact same code every time and will update as per the dependencies update. Yes, you will be losing some new updates but again you will be safe with these types of attacks.

Posted using LeoFinance Mobile