If you somehow haven’t heard yet, the popular javascript library “Polyfill.js”, or rather its web-facing CDN, was recently used by Chinese threat-actors to insert malicious code on thousands of sites. The attack included a takeover of the polyfill[.]io domain and GitHub account to introduce the aforementioned malware. This allowed them to redirect users to phishing pages, steal valuable data, as well as the potential takeover of sensitive accounts.

This recent attack and similar supply chain threats have exposed the fragility of the web development ecosystem. As information security professionals, we must closely examine this incident to understand the broader implications and extract valuable lessons that can help strengthen the security posture of the entire industry.

The Risks of Relying on Third-Party Infrastructure

It’s fairly difficult to find a modern website nowadays that doesn’t include 20+ different dependencies and service upon first load. This includes things like: Google Analytics, advertising networks, support and accessibility tools, and even things as basic as common fonts. Sites have become increasingly reliant on external places to serve these resources, utilizing content delivery networks (CDNs) to serve critical assets. While the convenience and scalability of these services can be appealing, over-reliance on third-party infrastructure introduces significant security risks that web developers and organizations must carefully consider.

One of the primary dangers of relying on third-party CDNs is the potential for these platforms to be compromised as seen in the recent Polyfill attack. Malicious actors have been shown to target CDN providers, seeking to exploit vulnerabilities or gain unauthorized access to the systems. Once a CDN is compromised, the attackers can then modify or disrupt content being served, potentially affecting the confidentiality, integrity, and availability of the websites that depend on them. This type of supply chain attack can have far-reaching consequences, as a single attack can spread to hundreds or thousands of organizations before than anyone can detect a problem.

Speaking of which, another risk factor of these networks is the lack of direct control and visibility over the third-party infrastructure. When organizations outsource the hosting and delivery of critical assets to CDNs, they relinquish a certain level of control and oversight. This can make it challenging to monitor for suspicious activity, respond to incidents, and ensure the integrity of the served content. Additionally, CDN providers may have their own security practices and policies that may not align with the organization’s own security requirements, further increasing the risk. This reduces the ability of the information security community to quickly detect and stop these attacks.

Furthermore, the reliance on third-party CDNs introduces potential points of failure that can disrupt the availability and performance of web applications. If a CDN experiences an outage or service disruption, the websites and applications that depend on it may become unavailable or experience degraded performance, negatively impacting the user experience and potentially leading to business losses. These networks have almost become, in my opinion, a piece of critical infrastructure for the web. However, as mentioned in the previous paragraph, the opaque nature of these CDNs makes the sort of regulatory oversight that follows critical infrastructure difficult.

What We Can Do about This

As shown before, this attack highlighted the urgent need for the web development community to take proactive measures to address these security risks. As information security researchers, we must advocate for a multi-pronged approach to mitigate these threats and strengthen the overall security of the web ecosystem.

One crucial step is the widespread adoption of Subresource Integrity (SRI), a security feature that allows web developers to ensure the integrity of external resources loaded on their websites. By using SRI, developers can cryptographically verify that the resources being loaded, such as scripts and stylesheets, have not been tampered with or replaced by malicious content. This mechanism provides an additional layer of protection against supply chain attacks, as it empowers developers to maintain control over the assets their websites rely on, even when hosted on opaque third-party CDNs or servers. This technology would help mitigate some of the supply-chain attacks we see, however it is not a silver-bullet as some CDNs (including polyfill[.]io) generate resources dynamically for convenience and efficiency.

In addition to SRI adoption, we must also emphasize the importance of maintaining visibility and control over critically important CDNs and services, such as the hosts of major components and libraries used across the internet. Examples of this would include services like cdnjs and jsdelivr. By classifying, inspecting, and carefully vetting the sources of these critical assets, organizations can significantly reduce their exposure to supply chain risks and ensure that they have the necessary visibility and control to respond to security incidents effectively.

Furthermore, I believe that government and regulatory agency involvement can play a vital role in addressing the broader challenges of supply-chain integrity. Policymakers and industry regulators should work closely with the web development community to establish guidelines, standards, and best practices for securing the software supply chain. This could include mandating the use of integrity checks like SRI, promoting the self-hosting of critical assets, and incentivizing organizations to implement robust security measures and defense-in-depth across their web infrastructure. This can already be observed in some of CISA’s publications and outreach work relating to critical infrastructure, although more can be done, in my opinion, to secure the web in this regard.

By taking a comprehensive approach that combines technical solutions, organizational practices, and regulatory oversight, we can collectively work to mitigate the risks posed by supply chain attacks and build a more secure and resilient web ecosystem. As information security professionals, we have a responsibility to lead the charge in advocating for these changes and empowering web developers to take proactive steps to protect their websites and their users.

One Last Word…

A large part of advocating for these changes is developing new research and tools to test hypotheses. I’m working on something related to this, specifically relating to SRI and its adoption across the web. It should be available by the end of this week, assuming I don’t get side-tracked too much.

Thanks for reading, and have a excellent rest of your day!