While I was scrolling through my Twitter feed today I spotted a tweet by Matthew Inman which caught my eye. For those of you who aren't familiar with Matthew Inman, he's a cartoonist based out of Seattle who's well known for his comic strip "The Oatmeal". The reason his tweet caught my eye was because he mentioned that the Huffington Post, a UK newspaper, had published his comic without his consent.
A few moments later, a clearly frustrated Matthew Inman took matters into his own hands and decided to take advantage of a crucial mistake the Huffington Post made when publishing his comic - hotlinking. Instead of copying the content to their own servers and referencing it from there, they simply sourced the content from Inman's servers. This would turn into a hilarious yet educational blunder that the Huffington Post clearly hadn't expected. First, he changed the top most images to screenshots of his Amazon AWS bill, as seen below.
If that weren't enough, moments later he got a little more creative and changed the last image of his comic strip to a picture of a bare butt and a phallus - captioned "lol I drew a butt and a pee pee!".
And a pee pee! https://t.co/fdlXCLAq15— Matthew Inman (@Oatmeal) October 28, 2015
Once the Huffington Post caught up with what happened, they took down the content, issued an apology, and properly attributed Inman's original comic.
While Inman's story was more about intellectual property rights and attribution, this story also provides an effective and visual example of why organizations developing security sensitive web applications put themselves at risk when using third-party content delivery networks (or CDNs).
What is a CDN?
Back when the Internet was still young, innovative network engineers were trying to figure out ways of making the surfing experience more enjoyable - specifically faster. They came up with this seemingly brilliant idea at the time that involved bringing the content geographically closer to users by caching it on servers that were close to the user (i.e. ISP servers). Some of the well known players in this space include Akamai, Amazon CloudFront, and CloudFlare, to name a few. These services were largely transparent and the primary clientele were large ISPs and online streaming media companies like YouTube and friends.
Moral of the Story
If your web application hosts sensitive data such as personal health information, financial information (i.e. credit cards), or intellectual property, then it is strongly recommended that you maintain and source private copies of third-party libraries on your private servers. Finally, we strongly recommend performing an independent security review of these libraries to help identify potential backdoors or malicious code.