You download a copy of a photo I took to your computer.
I have a website that lets people see the photo, it’s a popular website
Except that photo on my website doesn’t point to a copy of that photo on one of my computers, it points to the copy on yours.
Millions of people visit my website, and each time they do, they download your copy of my photo.
Uploading that photo to millions of computers across the world fucks up your internet service. You could also switch out my photo for another one, maybe even an offensive one, but my website would still point visitors to it.
In the original post, this is what a multibillion dollar corporation, a bank, did to a not-for-profit service that keeps a historical record of the internet.
I hinted at the security implications of what happened, but explaining that would make the analogy too complex.
Lets go a little beyond merelly hinting at the security implications:
The files being hosted by that 3rd party are Javascript, which is code that runs on the browser.
Barclays is a bank.
So people go to the website of a bank and their browser receives code from a 3rd party with whom the bank has no contract and who have nothing in place to obbey the level of security that is required by a banking site.
This is way more “interesting” that the photo from that example of yours (which doesn’t have any executable code, only data, being fed to very mature image decoding libraries so it’s many times harder to find exploits for it than for code)
Consider the implications of getting the Barclays website to serve (from the point of view of a user) what can easilly be malware…
Fair, although explaining a potential vector for a hypothetical XSS attack and its implications to someone who doesn’t know what Javascript is sounds like information overload
You download a copy of a photo I took to your computer.
I have a website that lets people see the photo, it’s a popular website
Except that photo on my website doesn’t point to a copy of that photo on one of my computers, it points to the copy on yours.
Millions of people visit my website, and each time they do, they download your copy of my photo.
Uploading that photo to millions of computers across the world fucks up your internet service. You could also switch out my photo for another one, maybe even an offensive one, but my website would still point visitors to it.
In the original post, this is what a multibillion dollar corporation, a bank, did to a not-for-profit service that keeps a historical record of the internet.
I hinted at the security implications of what happened, but explaining that would make the analogy too complex.
Lets go a little beyond merelly hinting at the security implications:
So people go to the website of a bank and their browser receives code from a 3rd party with whom the bank has no contract and who have nothing in place to obbey the level of security that is required by a banking site.
This is way more “interesting” that the photo from that example of yours (which doesn’t have any executable code, only data, being fed to very mature image decoding libraries so it’s many times harder to find exploits for it than for code)
Consider the implications of getting the Barclays website to serve (from the point of view of a user) what can easilly be malware…
Fair, although explaining a potential vector for a hypothetical XSS attack and its implications to someone who doesn’t know what Javascript is sounds like information overload