JQuery Server hacked or compromised



Recently my web application code stopped working and there was almost no reason why it should stop working. I didn’t do any changes to the code. I started debugging the reason and found this error message in Javascript console of chrome browser.

Uncaught ReferenceError: $ is not defined

$ is not defined

As I didn’t change the code I suspected some failure with dependant code. Further debugging into response of code.jquery.com I was shocked to see unusual characters.

jquery lib from official website

jquery website compromised

 

 

I tried downloading the minified and un-minified jquery-xxxx.js files and hosting on my website to resolve this, but it resulted in the same unusual Chinese or Japanese characters in response and my application was not working. I presume there has been attacks on JQuery server in past too.

How serious is this issue

We create applications which are password protected, running on SSL hosted servers, IP restricted or even running on private networks. This kind of JQuery compromise gives backdoor entry into almost every application which makes use of api through code.jquery.com. With very basic cross site scripting inclusion in this script one can access anything appearing on page or even make disguised AJAX calls to your server and extract everything. In short this is a very very serious issue for hosted web applications directly using code.jquery.com for loading api.

Solution to compromised JQuery problem:

To resolve this I changed the code dependancy to Google hosted JQuery api instead of JQuery website.

<script src=”//ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js”></script>

With this change, my application is working fine. If you wish you can download the .js file on your host and include from your host. With Google you get added advantage of CDN which improves the speed of your application.

You can also find about Google hosted APIs you can use in code from here: https://developers.google.com/speed/libraries/devguide

After this fix JQuery response in Chrome developer tools, Network section looks like this:

JQuery issue fixed with google link



About Deepak Keswani 83 Articles

Developing Applications for Computers since 1995 :)

Be the first to comment

Leave a Reply

Your email address will not be published.


*