Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
j45 5 hours ago

Too much app logic in the client side (Javascript) has always been an attack vector. The more that can reasonably be server side, the more that can't be seen.

dns_snek 5 hours ago | parent [-]

The amount of javascript is really beside the point here. The problem is that privileged users can easily edit the code without strong 2FA, allowing automatic propagation.

shevy-java 5 hours ago | parent | next [-]

How does 2FA prevent this here?

dns_snek 4 hours ago | parent [-]

If they required 2FA every time you wanted to modify JS then it couldn't propagate automatically. Just requiring 2FA when you first log in wouldn't help, of course.

j45 3 hours ago | parent [-]

2FAs also may require a level of KYC that Wikipedia isn't after and advocating for 2FA might indirectly advocate for a lot more things than just 2FA.

dns_snek 32 minutes ago | parent [-]

KYC? I'm talking about standard 2FA methods like Time-based OTP codes.

j45 3 hours ago | parent | prev [-]

It's not, application logic exposed on the client side is always an attack vector for figuring out how it works and how attack vectors could be devised.

It's simply a calculated risk.

How much business and application logic you put in your Javascript is critical.

On your second unrelated comment about Wikipedia needing to use 2FA, there's probably a better way to do it and I hope mediawiki can do it.

dns_snek 33 minutes ago | parent [-]

I don't know what you mean by application logic being exposed client-side. To change the content on the website, nuke articles, and propagate the malicious JS code you need to hijack privileged users' credentials and use them to trigger server-side actions.

It doesn't matter how much functionality the JS was originally responsible for, it could've been as little as updating a clock, validating forms, or just some silly animation. Once that JS executes in your browser it has access to your cookies and local storage, which means it can trigger whichever server-side actions it wants.

My second comment is not unrelated. The root cause of this mess is the fact that JS can be edited by privileged users without an approval process. If every change to the JS code required the user to enter their 2FA code (TOTP, let's say) then there would be no way for the worm to spread whenever users visited a page.