Over the weekend, thousands of websites around the world, including the UK’s NHS and ICO and the US Government Court system, were compromised, and caused visitors to mine crypto-coins – generating money for the miscreants.
These sites were using a popular plugin called Browsealoud. Their support software “adds speech, reading, and translation to websites facilitating access and participation for people with Dyslexia, Low Literacy, English as a Second Language, and those with mild visual impairments.”
The malicious code was first spotted by UK-based infosec consultant Scott Helme, and confirmed by The Register.
The issue here is that many websites are using third-party tools for services such as this, and as such are at risk of their sites being exploited. These can include JQuery, Google Fonts, and many other libraries and plugins.
To use this technique simply add an integrity attribute to your script tags which use external sites.
<script src="https://example.com/example-framework.js" integrity="sha384-Li9vy3DqF8tnTXuiaAJuML3ky+er10rcgNR/VqsVpcw+ThHmYcwiB1pbOxEbzJr7" crossorigin="anonymous"></script>
Full information can be found on the W3C Website: https://www.w3.org/TR/SRI/
Currently, these must use the SHA-256, SHA-384 and SHA-512 cryptographic hash functions. This is currently supported in Firefox 57, Chrome 49, Safari 11 and Edge 17 and above, as well as most mobile browsers. Compatibility can be found here: https://caniuse.com/#feat=subresource-integrity
You can also test your browser support here: http://w3c-test.org/subresource-integrity/subresource-integrity.sub.html
There is also an excellent tool for generating these SRI hashes, simply visit https://www.srihash.org/ and type in the URL and you will be given the correct hash and script tag to use.
You can also use the command:
openssl dgst -sha384 -binary FILENAME.js | openssl base64 -A
It is highly recommended that developers consider this new technique carefully, this is both a security feature – but may cause issues if external files are changed.