10 Dec Popular jQuery Plugin Exposed for Years
News has come out that hackers have been abusing a zero-day security flaw in one of the most popular plugins for jQuery. These hackers were able to plant web shells and take control of web servers using the security flaw.
Known to most as Blueimp, the jQuery File Upload plugin is the source of the issue. It is not some small plugin that is used by a few people. It is a plugin that is used as part of the jQuery system. If you look at the most starred projects on GitHub, it is the second most starred for jQuery.
When you consider the vulnerability of a plugin, it is not just about that component. While it is vulnerable, we have to remember that it is used everywhere. It has been forked almost 8000 times and is used on WordPress, Drupal and company Intranet solutions.
When there is such a vulnerability, it means there is a serious security hole in any system where it is being used. And that can leave many sites, companies and organizations open to the type of attack that would be devastating.
What Damage Can Be Done?
According to a security researcher, Larry Cashdollar, it is possible to do a lot due to this security vulnerability. He showed that it is possible to upload malicious files to a server, along with taking control of the server to cause further harm.
The interesting aspect to this exploit is that it has only just become knowledge. There is typically a very short amount of time between an exploit being discovered to it becoming popular knowledge. But it appears that hackers have kept this secret for more than two years.
In fact, YouTube tutorials have been spotted that can take back to 2015 that are talking about how to exploit this vulnerability in jQuery. The good news is that it is finally being addressed. It does appear that jQuery is taking steps to closing off this loophole.
Damage Already Done?
The issue for many who have been using this jQuery plugin is that damage may already have been done. There is no way to know where this vulnerability has been exploited and for how long.
It is just a matter of patching it up and hoping that any future vulnerabilities are spotted a lot faster. When plugins are such a common part of complex projects, even the slightest flaw can have serious consequences.