JavaScript malware infested nightmare

Published on 2021-03-01. Modified on 2021-03-02.

Are you a JavaScript framework or library fan-boy? One of those so-called front-end developers who cannot figure out how to build a website without completely smothering everything in JavaScript? Well, if you are, let me share a JavaScript nightmare with you.

These last couple of days I have been working for a company that contacted me because they where suffering from some "hacking" problems on their website. The company is run by two hardworking entrepreneurs, who know a lot about how to run a successful business, but close to nothing about computer related security.

These guys naturally trusted their entire IT infrastructure to a couple of external IT companies and they also used a couple of freelance developers for different smaller tasks.

It is a real shame, but I must admit that I am not surprised at my findings. None of these IT companies or freelance developers had the least knowledge about security. What they had done is what everyone else is doing these days - blindly following hype and trends!

Drawing of people blindly following other people

I'm going to skip ahead because the complexity of the problems are too difficult to describe. More or less everything is a mess. From how the computers at the office are being used, to password policies, to lacking firewall implementations, to just about everything is a problem. However, despite multiple possible attack vectors can you guess where the attackers chose to focus their payload? JavaScript obfuscated malware.

The company has more than one website, none of which work even slightly without JavaScript enabled, yet JavaScript isn't needed for anything on any of these sites.

As I was going through the code, trying very hard to figure out what was going on, I eventually had to give up. It would literally take weeks, if not months to de-obfuscate everything and figure out what was legitimate code and what was malware.

If you're a front-end developer reading this then stop pushing JavaScript!

As a developer you're responsible for your client and their customers. Your stupid JavaScript is a prime target for inserting obfuscated malware so you better make sure it is truly needed, and you better make sure that it is easy to validate!

We don't need JavaScript on the majority of websites on the Internet! It's causing more harm than good!

For everyone who isn't a front-end developer: Make sure you run your browser in a secure jail, disable JavaScript in your browser or use something like NoScript and uBlock Origin and boycott websites (as much as possible) that has made their basic functionality dependent on JavaScript.

Further reading