JavaScript malware infested nightmare

Published on 2021-03-01. Modified on 2021-03-02.

Are you a JavaScript framework or library fan-boy? One of those frontend developers who cannot figure out how to build a website without completely smothering and drowning everything in JavaScript? Well, if you are, let me share a JavaScript nightmare with you!

These last couple of days I have been working for a company that contacted me because they where suffering from some "hacking" problems on their website. The company is run by two hardworking entrepreneurs, who know a lot about how to run a successful business, but close to nothing about computer related security.

These guys naturally trusted their entire IT infrastructure to a couple of external IT companies and they also used a couple of one-man freelance developers for different smaller tasks.

It is a real shame, but I must admit that I am not surprised at my findings. None of these IT companies or one-man freelance developers had the least knowledge about security. What they did is just about what everyone else is doing these days - blindly following hype and trends!

Drawing of people blindly following other people
Monkey see, monkey do - blind following

I'm going to skip ahead because the complexity of the problems are almost too difficult to describe, but let's just say that everything is a mess! From how the computers at the office are being used, to the implemented password policy, to lacking firewall implementations, to yes, just about everything is a problem. However, despite multiple possible attack vectors can you guess where the attackers actually have chosen to focus their payload?

JavaScript obfuscated malware.

I would have expected that the websites would be infested with web shells, SPAM bots, cross site scripting, and all the other "good stuff", but no.

The company has more than one website, but all are of those kinds that are drowning in unneeded JavaScript from head to toe. Absolutely nothing works on these websites without all of this JavaScript crap - yet, absolutely nothing of what the JavaScript is doing is truly needed or even useful!

As I was going through the code, trying very hard to figure out what was going on in this JavaScript nightmare, I eventually had to give up. It would literally take weeks, if not months to de-obfuscate everything and figure out what was legitimate usage and what was malware.

And that's typical of todays web developers. I cannot count the number of sites I have seen that is filled with utterly useless JavaScript functionality.

And I'm sick of it!

If you're a frontend developer reading this, and you're a JavaScript fan-boy, Stop pushing JavaScript!

As a frontend developer you're responsible for your client and their customers. Your stupid JavaScript is a prime target for inserting obfuscated malware so you better make sure it is truly needed, and you better make sure that it is easy to validate!

We don't need JavaScript for the majority of websites on the Internet! It's causing much more harm than good!

For everyone who isn't a frontend developer: Make sure you run your browser in a secure jail, disable JavaScript in your browser or use something like uBlock Origin and boycott websites that has made their basic functionality dependent on JavaScript - you're seriously in risk of getting infected with malware just by visiting a website unless you take your precautions. And no, anti-virus software isn't going to help you!

Further reading