For the last few days, we have had some customers come to us worried thinking that their websites were compromised with some type of pop-up malware. Every time they visited their own site they would get a strange pop up:
“Please stop hotlinking my easing script — use a real CDN instead. Many thanks”
What is going on?
We did some Google searches and found hundreds of threads with people worried about the same thing. Out of no where, that pop-up was showing up on their web sites. Were they all hacked?
Popup? If you’re coming here because of a popup on your site I’m sorry, but the increased hotlinking has caused me issues with my hosting company so I’m taking steps to try and sort it out. Please upload the script to your own server and update any urls pointing to gsgd.co.uk to use that version of the file or you could try using the above url for CDN (though this currently only has the 1.3 easing script, look at http://cdnjs.com/ for more info and maybe try and add any missing files/versions still in use).
Please also note, I have no problem with anyone’s use of the plugin without my knowledge or permission, it’s just the hotlinking that’s causing me a headache.
Who Really owns your site?
Most users had no idea that they were even using that plugin. Most developers that include it probably dodn’t even think about the hotlinking issue. It seems that plugin documentation used to give examples pointing to gsgd.co.uk, so the developers just copied and pasted directly into their sites.
What was more worrying to our client was the power that someone else had over their site.
You are not really the only owner of your site
Can you imagine if the author of the Easing Plugin was malicious? Instead of just that pop-up, they could have added a URL redirect to send all your users to any site they of their choosing (SPAM, porn, you name it). What if their server was hacked? The attackers could have added malware and it would have loaded to all your users.
http://o.aolcdn.com/ http://pshared.5min.com/ http://js.adsonar.com/ http://scorecardresearch.com/ http://tctechcrunch2011.wordpress.com/ http://platform.twitter.com/ http://connect.facebook.net/ https://apis.google.com/ http://cdn.optimizely.com/ http://r-login.wordpress.com/ http://cdn.insights.gravity.com/
So their security is not only dependent on their own site, but if any of those 11 sites they include in their site gets hacked, it will affect their users as well.
They are not alone. Our own blog, includes code from:
http://disqus.com http://s.gravatar.com http://stats.wordpress.com http://connect.facebook.net/
So our blog security is also dependent on those 4 sites (Facebook, Disqus, Gravatar and WordPress). Including code from Google CDN,Twitter, Facebook or any major publisher is likely low risk being they have a pretty good level of security. That said, there is still a level of risk you are accepting for you and your visitors. Another thing to consider is the risk increases significantly when you include code from smaller and less known locations.
If you are using this plugin, just remove the include from gsgd.co.uk, download the plugin and store it locally. That’s an easy fix.
I also recommend that you look at the source of your site to see what else you have included.