upvote

points

by trimethylpurine6 hours ago |
comments
upvoteby kevinsync5 hours ago|
next
[-]
Using somebody's stuff is different than hot-linking directly to a hosted version of it, even just from the perspective that dude could delete it at any time and break the whole app.
reply
upvoteby trimethylpurine2 hours ago|
parent|
[-]
That's fair. I download and embed, personally. Still, it's not a rant worthy mistake, honestly. Suggest a better approach, sure.
reply
upvoteby array_key_first1 hours ago|
parent|
[-]
It's definitely a rant worthy mistake because this would literally never happen in any professional app anywhere. This is a supply chain risk.
reply
upvoteby trimethylpurine28 minutes ago|
parent|
[-]
Microsoft? Okta? JetBrains? If these are amateurs, who is a professional developer?

https://www.encryptionconsulting.com/top-10-supply-chain-att...

Are you aware that common libraries like Bootstrap, FontAwesome, and HTMX walk developers through linking to their CDNs directly? In fact, FontAwesome recommends it for CDN performance.

I think you're dangerously mistaken if you believe that it "literally never" happens. It literally does happen all the damned time. And, for your own safety and others', you should assume that when you use any app for which you don't have the source code.

reply
upvoteby rendx5 hours ago|
prev|
next
[-]
I don't know if you're being serious or not, but in case you are: There is a difference between (re)using other people's open sourced code, hopefully reviewed, and giving anyone in control of the third party repository the ability to run arbitrary code on your user's devices. Even if the "random GitHub repo" doesn't contain any malicious code right now, it may well contain some tomorrow.
reply
upvoteby torstenvl3 hours ago|
parent|
[-]
Completely agree. This is really unique. Can you imagine if it were standard practice to be open to supply chain attacks like that, by blindly relying on hotlinked or unpinned dependencies?
reply
upvoteby trimethylpurine21 minutes ago|
parent|
[-]
Why imagine? Let's take a quick look at what's actually happening right now. We can check some widely used libraries and see what their instructions are teaching new developers.

Boostrap (code snippet from their quick start instructions): ``` <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Bootstrap demo</title> <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/css/bootst..." rel="stylesheet" integrity="sha384-sRIl4kxILFvY47J16cr9ZwB07vP4J8+LH7qKQnuqkuIAvNWLzeN8tE5YBujZqJLB" crossorigin="anonymous"> </head>

<script src="https://cdn.jsdelivr.net/npm/@popperjs/core@2.11.8/dist/umd/..." integrity="sha384-I7E8VVD/ismYTF4hNIPjVp/Zjvgyol6VFvRkX/vR+Vc4jQkC+hVqc2pM8ODewa9r" crossorigin="anonymous"></script> <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/js/bootstr..." integrity="sha... ```

Pay close attention, they are inviting the new developer to link not just to Bootstrap, but to Popper!

HTMX (code snippet from their quick start guide): ``` <script src="https://cdn.jsdelivr.net/npm/htmx.org@2.0.8/dist/htmx.min.js"></script> <!-- have a button POST a click via AJAX --> <button hx-post="/clicked" hx-swap="outerHTML"> Click Me </button> ```

Fontawesome: A video quick start guide and instructions that recommends using the direct link to the kits via CDN for performance!

Look, I certainly don't think they should be used this way. But, to say that it's unique to the White House app? I definitely wouldn't say that. In fact, I think you've dangerously overestimated the status quo.

reply
upvoteby input_sh5 hours ago|
prev|
next
[-]
It's always a better idea to make a local copy of it.

Imagine they're downloading a project directly from your GitHub account. Even if you're not doing anything malicious and have no intention of doing anything malicious even after you've been aware of this, now all of a sudden your GitHub account / email is a huge target for anyone that wants to do something malicious.

reply
upvoteby xocnad5 hours ago|
prev|
next
[-]
All good for you to make those choices for yourself. Your response seems to be show ignorance of all the recent supply chain attacks that have occurred. You can imagine that given the situation with the shoe gifts that many high up members of the administration and cabinet members are running this app.
reply
upvoteby trimethylpurine2 hours ago|
parent|
[-]
I'm critical of the author.

I'm well aware of supply chain attacks. But this isn't a supply chain attack. If it were, the article would be way more interesting.

The supply chain attack articles are interesting exactly because this is so common. So what's special here other than it being loosely related to a disliked political figure? HN isn't supposed to be an especially political website.

"A common app is doing the same thing that basically every other app is doing."

Is that a good headline? No. And this isn't a good article.

reply
upvoteby rpdillon5 hours ago|
prev|
[-]
The dependencies weren't vendored, meaning their behavior can change at any time if a malicious actor gains control of that third-party repo.

This is bad for security.

reply
upvoteby trimethylpurine15 minutes ago|
parent|
[-]
Yes, I agree. And it's sadly, as we can see, still fairly standard practice to ignore it.
reply