Bluesky - Security made by Javascript Jokeys

🧵 [1 / 15]

So, #Bluesky is all the hype now and a lot of #Mastodon people are falling for the olde “invite link” trick which not only paints, what is ultimately going to be another social media shitshow, as an exclusive club, but also sneakily turns everyone’s curiosity into a vessel for word-of-mouth advertisement to ride piggy back on.

Well, maybe the AT Protocol is at least better than #ActivityPub. So, since it is on #Github [1] , let’s have a quick look and … Aww shit! Thread time..

🧵 [2 / 15]

The first thing to notice is that Bluesky uses three programming languages: Go, Typescript and JavaScript. TypeScript is actually just JavaScript with some type safety checks nailed on top. Technically that is an improvement, but so is putting a “careful hot” sticker on a cup of coffee. For all points and purposes, the whole AT Protocol layer is written in JavaScript.

🧵 [3 / 15]

JavaScript was originally envisioned as a toy programming language for text manipulation. More specifically: manipulating the HTML inside Netscpape Navigator window (the ancestor of the Firefox webbrowser). As such, it was only informally specified (resulting in browser vendors deliberately implementing slightly incompatible dialects) and lacked a type system (makes a language more difficult to learn, but also prevents a lot of bugs).

🧵 [4 / 15]

Needless to say, JavaScript was shunned by professionals, but thanks to the rise of the web, the language was doomed for success. Microsoft eventually thought to rectify the original sin, by standardizing JavaScript as ECMAScript and later adding a type checking extension (TypeScript), but by then, the damage was already done.

🧵 [5 / 15]

For years, people of various (or no) coding skills had been writing JavaScript code and due to the browser compatibility issue that often came down to just copy&pasting someone else’s solution without really understanding why it was working. This was fine, because, worst case scenario was hanging someone’s browser window. However, in 2009 [2] , someone had the idea of taking the script engine out of the browser, making it a standalone interpreter, and suddenly,

🧵 [6 / 15]

JavaScript became a system programming language! From a technical point of view, that was a horrible decision, but it allowed for (cheaply) hiring JavaScript Jokeys as (full stack) system engineers or even architects. So naturally, this caught on.

🧵 [7 / 15]

Nowadays, we have Node.js (the commandline interpreter), NPM (the packagemanager), a community of copycat programmers and tons of poorly maintained legacy code for solving trivial problems, rotting in the NPM repository. Don’t get me wrong, there are things, you should not implement yourself (e.g. anything related to cryptography), but in the Node.JS ecosystem, dependencies are transient: even if you only pull respected packages into your project,

🧵 [8 / 15]

you are still at risk of them pulling some nonsense, from somewhere else. A typical JavaScript project easily depends directly and indirectly on a couple hundred other projects and is virtually impossible to audit for security.

So, how dangerous is it to write your serverside code in JavaScript?

🧵 [9 / 15]

In 2022, Russia launched a full scale invasion on Ukraine. To say, this made a lot of people unhappy would be an understatement and there were many forms of protest, including one in which a JavaScript developer thought that his code had the right to nuke the user’s system, if run on Russian servers [3] . I’m not going to go into the moral aspects of what he did, nor how haphazardly it was implemented, but thanks to the transient nature of the ecosystem,

🧵 [10 / 15]

his malicious code got millions of downloads, just by being an indirect dependency.

🧵 [11 / 15]

This was by far not the first attack in the ecosystem nor was it the most sophisticated. Typo squatting, for example is a common problem [4] . Another one is that developers loose interest in their projects and transfer ownership to the first person willing to take over, abandon them altogether or get their developer accounts hacked (this problem is so bad that Github could leverage it as an excuse to force 2FA on developers in 2022 [5] ).

🧵 [12 / 15]

So, now we have Bluesky. A company that wrote it’s backend code in TypeScript and, as a social network, has a huge target painted on its back.

Want to break into their servers? Here’s how you’d do it:

🧵 [13 / 15]

1. Download the Bluesky sourcecode [1] .
2. Look for package.json files, extract the dependencies, build the dependency graph.
3. Find all dependencies where the version code begins with a"^" (“this or newer”) - rookie mistake (hint: applies to almost all of them).
4. Check third party dependencies for maintainer fatigue (you will probably find a dozen); Offer them to buy their projects.
5. Lay low for a few of months, then trojanize to your acquisition; wait for Bluesky to pull.

🧵 [14 / 15]

Congratulations, Bluesky now runs your code. What it does is up to you. It lives near the part responsible for handling user identities and content.

🧵 [15 / 15]

Sources:

1. https://github.com/bluesky-social
2. https://en.wikipedia.org/wiki/Node.js
3. https://arstechnica.com/information-technology/2022/03/sabotage-code-added-to-popular-npm-package-wiped-files-in-russia-and-belarus/
4. https://www.bleepingcomputer.com/news/security/npm-supply-chain-attack-impacts-hundreds-of-websites-and-apps/
5. https://github.blog/2022-02-01-top-100-npm-package-maintainers-require-2fa-additional-security/