We’re using nodejs extensively in our current research project – webinos – and I have personally enjoyed programming with it and the myriad of useful 3rd-party modules available online.
However, I’ve always been concerned about the ease at which new modules are made available and may be integrated into bigger systems. If I want to create a website that supports QR code generation, for example, as a developer I might do the following:
- Visit google and search for “nodejs qrcode”. The first result that comes up is this module – https://github.com/soldair/node-qrcode . From a brief look at the github page, it seems to do exactly what I want.
- Download the module locally using ‘npm install qrcode’. This fetches the module from the npmjs registry and then installs it using the process defined in the package.json file bundled with this module.
- Test the module to see how it works, probably using the test cases included in the module download.
- Integrate the module into webinos and then add it to webinos’ package.json file.
- When the changes make their way into the main project, everyone who downloads and installs webinos will also download and install the qrcode module.
I’m going to go out on a limb and suggest that this is a common way of behaving. So what risk am I (and anyone developing with nodejs modules) taking?
If you’re using nodejs in production, you’re putting it on a web server. By necessity, you are also also giving it access to your domain certificates and private keys. You may also be running nodejs as root (even though this is a bad idea). As such, that nodejs module (which has full access to your operating system) can steal those keys, access your user database, install further malware and take complete control of your webserver. It can also take control of the PCs you and your fellow developers use every day.
The targets are juicy and the protection is minimal.
And yet, so far, I have encountered no malware (or at least none that I know about). Some modules have been reported, apparently, but not many. Why is that?
It could partly be because the npmjs repository offers a way for malware to be reported and efficiently removed. Except that it doesn’t. It may do so informally, but it’s not obvious how one might report malware, and there’s no automatic revocation mechanism or update system for already-deployed modules.
It could be that the source code for most modules is open and therefore malware authors dare not submit malicious modules for fear of being exposed, and those that do rapidly are. Indeed, in the case of the qrcode module (and most nodejs modules) I can inspect the source code to my heart’s content. However, the “many eyes” theory of open source security is known to be unreliable and it is unreasonable to suppose that this would provide any level of protection for anything but the most simple of modules.
I can only assume, therefore, that there is little known nodejs malware because the nodejs community are all well-intentioned people. It may also be because developers who use nodejs modules form a relationship with the developer of the module and therefore establish enough trust to rely on their software.
However, another way of putting it is: nobody has written any yet.
The problem isn’t unique – any third party software could be malicious, not just nodejs modules – but the growing popularity of nodejs makes it a particularly interesting case. The ease at which modules can be downloaded and used, in combination with their intended target being highly privileged, is cause for concern.
Disagree? Think that I’ve missed something? Send me an email – details here.
Update – I’ve blogged again about this subject over at webinos.org
Disagree? Not at all. In fact this is a real risk. It has happened with jquery.
One thing that I do to detect these type of malware infestation is constantly run network analysis on the webservers that is serving our apps. It sends us a daily report of all the network connections of all types. We visually inspect the report to see if there are anything out of order. You have to do this visually. It is unlikely that a automated system will detect this type of anomaly. But once you are familiar with the traffic patterns of your app, it only takes few minutes to inspect the daily network report.