Was jquery.com Compromised?
Lastest update on the compromise: Update on jQuery.com Compromises
Earlier today, RiskIQ published a blog post stating that the jQuery.com web servers were compromised and serving the RIG exploit kit for a short period of time on the afternoon of September 18th. Our internal investigation into our servers and logs have not yet found the RIG exploit kit or evidence that there was in fact a compromise.
RiskIQ was able to make contact with the jQuery Infrastructure team on September 18th, at which point with members of the RiskIQ team tried to find evidence of compromise. So far the investigation has been unable to reproduce or confirm that our servers were compromised. We have not been notified by any other security firm or users of jquery.com confirming a compromise. Normally, when we have issues with jQuery infrastructure, we hear reports within minutes on Twitter, via IRC, etc.
At no time have the hosted jQuery libraries been compromised.
Currently the only potential system compromised is the web software or server that runs jquery.com. We have asked RiskIQ to help us look through our server logs and systems to help identify when and how a compromise happened. Please check this blog post for updates on the situation.
Even though we don’t have immediate evidence of compromise, we have taken the proper precautions to ensure our servers are secure and clean. If you happened to visit any of the our sites on September 18th and are afraid of your system being compromised you can follow the advice RiskIQ recommends:
- Immediately re-image system
- Reset passwords for user accounts that have been used on the system
- See if any suspicious activity has originated from the offending system
Curious indeed. If the HTML served had changed beyond any usual variation due to dynamic content then wouldn’t the differences in filesize be observable in and calculable from the logs?
That why I use RequestPolicy and NoScript, to control which site is allowed to download which external resources.
I don’t use the jquey.com donload. I get the code from google’s CDN, so if the code was compromised, would this also effect the CDN or would that be okay? I am not sure how google deals with the various versions of jquery. I tend to simply set the link to whatever the latest copy is via google and leave it at that.
@Matt and @Neil – As was stated clearly in the article:
“At no time have the hosted jQuery libraries been compromised.”
The concern over the possible compromise has nothing to do with the CDN hosted or downloadable jQuery libraries.
Webmasters generally use the jQuery CDN in order to ensure faster webpage loads. If people are very concerned they could either replace it with Google’s JS CDNs or host them on their website.
to be honest, one of the big web filter companies like barracuda, etc would know about this first. then everyone like malware-traffic-analysis.net would have pcaps. About 100 infosec researchers would have fiddler logs of it. You’d see a bunch on urlquery.net. Remember when php.net was compromised?
The ASUS ROG forum made it about 10 minutes before everyone had pcaps, swf files, and silverlight dlls.
for such a high visibility site, you’d think there would be more info.
There are updates on the RiskIQ blog source. They posted some raw data from their crawler that I don’t quite understand. But, it does reveal something that jQuery Foundation should be concerned about and addressed.
And that’s the fact that there is a domain jquery-cdn.com registered with a privacy service as the registered address.
I assume that this domain does not belong to the jQuery Foundation, and that the jQuery Foundation has a valid trademark on the term “jQuery”. (Update: I checked it is registered to Software Freedom Conservancy with previous owner jQuery Foundation). jQuery Foundation needs to make that domain registration disappear. You are within your rights and need to make it happen.
Domain Name: jquery-cdn.com
Created On: 2014-09-18
Expiration Date: 2015-09-18