jQuery hacked: Site was hit, but not the library

Research group RiskIQ announced last week that they had detected a drive-by download at jQuery.com. What happened?

Updated on September 24: jQuery has confirmed the the attack on Twitter and their blog. The exact tweet: "We have detected a new compromise of http://jquery.com  and are taking action to mitigate the attack. Updates to follow."

Later on a jQuery blog confirmed that a compromise was found on the site, but that it was only intended to deface the site. They state that they still have no evidence of malware injections to jquery.com visitors.

They also emphasize that the only users on their sites who have accounts are members of the jQuery team, and so visitors to the site could not suffer an account compromise.

The people at jQuery.com aren't so sure, but they insist, and in fact RiskIQ agrees, that the actual jQuery JavaScript library was not compromised. Good thing too, as jQuery has astonishing reach on the Internet. According to jQuery.com, everyone who's anyone on the Internet, including almost 70 percent of the top 10,000 sites, uses jQuery (see the table nearby). jQuery is a library of JavaScript tools for simplifying complex tasks such as accessing web services or building user interfaces.

But a compromise of jquery.com itself would be important, as many important developers and IT admins have accounts on it and access it. The RiskIQ claim was that the attack used the RIG exploit kit to target visitors and that "RiskIQ was able to confirm with sources at several large organizations that users of jQuery.com were indeed redirected to this exploit kit." Successful attacks against such people could lead to attacks against their organizations.

jQuery says that, with RiskIQ assistance, they tried to find evidence of a compromise, but found none. They are still examining server logs to look for evidence. And they repeat, in boldface, "[a]t no time have the hosted jQuery libraries been compromised."

Update on September 24: jQuery has since found and announced a compromise of the site, but still has no evidence of attacks on visitors to the site.

Hat tip to Internet Storm Center at the SANS Institute. That article goes on to discuss some important implications of the use of such libraries. A developer brings the library into the site with a script tag and an src attribute to reference the address of the library.

The developer has the option of referencing a local copy of the library or of referencing the original, in this case at jquery.com. Using the copy hosted at jquery.com is usually preferable, principally for two reasons: the code will be delivered faster, and due to the popularity of jQuery the user may already have the code locally cached; and any updates to the library will automatically be incorporated in sites that use jQuery.

The downside is that the security of the library itself is of vital importance. If it were compromised — and once again it was not in this case — then all those millions of sites that use it would also be compromised. For his reason, some sites (including the SANS Institute) host their own copies of jQuery so that they can take control of the security of it.