create account

Financial Risk - Carefully Evaluating Open Source Code by codingdefined

View this thread on: hive.blogpeakd.comecency.com
hive-167922 · @codingdefined ·
$6.68
Financial Risk - Carefully Evaluating Open Source Code
So as a developer we try to use many open source packages to not reinvent the wheel that means to use what is already there and not write on our own. NodeJS developers mainly rely on the NPM package manager to use some of the packages whereas Dot Net developers use Nuget packages. There are some packages that are being used heavily for example UAParser.js which has weekly downloads of more than 8 million. 

There is a financial risk to many people who are actually using the code. We all use so many websites and I guess almost all the new websites use the package in one way or the other. Think about the scenario where one of the websites which you have visited have a security risk, it will give away all your passwords, cookies and everything and the hackers can steal the money from you. So it is one of the responsibilities of the developers to keep your website free from something which can attract this type of attack.

![](https://alpha.leofinance.io/images/DQmXPZ9D7RwqcGz99mP7KnueXihJGRjqLQaZntCXAq58Knt/leoIMAGE.png)

The problem is we actually do not go to the package code and see what exactly the code does and we have to rely on the package developer for security evaluation. Now, if the package contains malicious code it will be transferred to all the system which has the package and thus all the system will be compromised.

On 22nd October, UAParser.js's owner account had been hijacked and the attacker has pushed new versions which were containing the malicious code. That code was actually stealing the passwords and chrome cookies from all the systems and also it was running the crypto-miner program in all the systems. As I have already mentioned it was one of the popular libraries so it was easy for the hijacker to send malicious code to millions of people at once, once they upgrade their package. 

![](https://alpha.leofinance.io/images/DQmfH2RPts9A1jPdPahdsyMZXmx25sWrcYh3FwEmVsETfSK/leoIMAGE.png)

One of the reasons this happened and will happen in the future is that we developers are lazy and we do not want to check the security of the package. Now the problem will start more and more when the attackers will find a way to hijack more such packages. One thing we can do is to check a package (some version) for security and then use it for our project. We should stick to that version and not upgrade all the time, in that way we will be sure that we are using the tested code. In this way you know you will be running the exact same code every time and will update as per the dependencies update. Yes, you will be losing some new updates but again you will be safe with these types of attacks.

 Posted using [LeoFinance Mobile](https://leofinance.io)
👍  , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
properties (23)
authorcodingdefined
permlinkso-as-a-developer-we-try-to-us-21qb720d4l7p5vmle281wagfbx4af7j4
categoryhive-167922
json_metadata{"app":"leofinance-mobile/0.3.0","format":"markdown","tags":["leofinance","stem","hive-engine","neoxian","proofofbrain","palnet","cent","archon","security","india"],"users_tagged":[]}
created2021-11-24 15:01:21
last_update2021-11-24 15:01:21
depth0
children2
last_payout2021-12-01 15:01:21
cashout_time1969-12-31 23:59:59
total_payout_value3.368 HBD
curator_payout_value3.315 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length2,698
author_reputation533,274,036,397,313
root_title"Financial Risk - Carefully Evaluating Open Source Code"
beneficiaries
0.
accountleofinance
weight0
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id107,979,625
net_rshares1,998,626,826,239
author_curate_reward""
vote details (49)
@brennanhm · 
This is why I think there should always be an option to disable automatic updates.

Not only on source code, but all the browser crypto wallet extensions that get updated automatically when the developer fixes a bug or adds a feature. What a nightmare it would be if someone hijacked their account and pushed out a malicious update.
👍  
properties (23)
authorbrennanhm
permlinkre-codingdefined-r33a24
categoryhive-167922
json_metadata{"tags":["hive-167922"],"app":"peakd/2021.09.1"}
created2021-11-24 18:30:06
last_update2021-11-24 18:30:06
depth1
children0
last_payout2021-12-01 18:30:06
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length332
author_reputation35,616,926,035,219
root_title"Financial Risk - Carefully Evaluating Open Source Code"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id107,984,344
net_rshares42,840,080
author_curate_reward""
vote details (1)
@codingdefined · 
That's true, for the developers we have an option to get only specific version after evaluating the code, but again I am not sure how many people follows it.
👍  
properties (23)
authorcodingdefined
permlinkre-codingdefined-20211125t6756170z
categoryhive-167922
json_metadata{"tags":["hive-167922","leofinance","stem","hive-engine","neoxian","proofofbrain","palnet","cent","archon","security","india"],"app":"ecency/3.0.23-mobile","format":"markdown+html"}
created2021-11-25 00:37:57
last_update2021-11-25 00:37:57
depth1
children0
last_payout2021-12-02 00:37:57
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length157
author_reputation533,274,036,397,313
root_title"Financial Risk - Carefully Evaluating Open Source Code"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id107,991,090
net_rshares42,655,089
author_curate_reward""
vote details (1)
Help/Feedback