Don’t run that code - Security Boulevard

SBN Don’t run that code

The dangers of downloading untrusted code from the internet is well documented. You never know what is contained within someone else’s code, be it sloppy coding, or malicious intent. 

If it is a snippet of code that you can easily read, it can be relatively risk free. Because, why put in the effort to reinvent the wheel when there are so many wheels already available? You just need to make sure the wheel is balanced, fits your vehicle, has adequate grip and won’t leak air. 

DevOps Experience

A couple of years ago, I did exactly that by downloading a small bit of code from GitHub and modified it to build my own Chrome browser plugin. But sometimes, it’s the smallest paper cuts that can cause the most amount of pain. 

Many moons ago, I was working at a bank and someone downloaded something from GitHub to automate the collection of data from several different sheets into one single spreadsheet. It makes perfect sense, after all, the process to manually collate all the information took several hours. But with an automated process, it could be completed in a matter of seconds. 

Unfortunately, the developer who downloaded the code did not read all the documentation and comments which came with it. Of course, who has time to do that? The original author had built a workflow so that any time the data was pulled into the spreadsheet, it would get emailed to him.

Note, that this wasn’t a malicious insertion. It was fully documented and the author said in the comments for the email address to be changed to whoever was running it. So, this bank developer ran the script, it grabbed some (real) customer data, and emailed it off to the original author. 

Thankfully, it was long before the days of GDPR, and it was only a dozen or so customer names and some basic info (can’t remember exactly what). We tried emailing and getting in touch with the original author to ask him nicely to please delete the spreadsheet that had been emailed, but never got a response. 

I do sometimes wonder what happened…whether the email was not delivered, or the author saw emails from a big bank, got scared and went into witness protection.

But it is a good reminder that it is not always the most obvious issues that bite you. 

*** This is a Security Bloggers Network syndicated blog from Javvad Malik authored by j4vv4d. Read the original post at: http://feedproxy.google.com/~r/J4vv4d/~3/bvSIYYC18xU/