Who Really Owns Your Website? “Please Stop Hotlinking My Easing Script — Use a Real CDN Instead.”
For the last few days, we have had some customers come to us worried thinking that their websites were compromised with some type of pop-up malware. Every time they visited their own site they would get a strange pop up:
“Please stop hotlinking my easing script — use a real CDN instead. Many thanks”
What is going on?
We did some Google searches and found hundreds of threads with people worried about the same thing. Out of no where, that pop-up was showing up on their web sites. Were they all hacked?
Through further research we found that all of the sites in the results had a JavaScript include from: http://gsgd.co.uk/sandbox/jquery/easing/jquery.easing.1.3.js. This file is part of the popular jQuery Easing Plugin. It seems the author of that plugin got upset that many people were linking directly from his site, and modified the content of that file to give that warning instead. He posted an explanation on his site about it:
Popup? If you’re coming here because of a popup on your site I’m sorry, but the increased hotlinking has caused me issues with my hosting company so I’m taking steps to try and sort it out. Please upload the script to your own server and update any urls pointing to gsgd.co.uk to use that version of the file or you could try using the above url for CDN (though this currently only has the 1.3 easing script, look at http://cdnjs.com/ for more info and maybe try and add any missing files/versions still in use).
Please also note, I have no problem with anyone’s use of the plugin without my knowledge or permission, it’s just the hotlinking that’s causing me a headache.
Who Really owns your site?
Most users had no idea that they were even using that plugin. Most developers that include it probably dodn’t even think about the hotlinking issue. It seems that plugin documentation used to give examples pointing to gsgd.co.uk, so the developers just copied and pasted directly into their sites.
What was more worrying to our client was the power that someone else had over their site.
You are not really the only owner of your site
Every time you add a remote JavaScript (or widget or iFrame) to your site, you are giving the server that houses that code full control of what is displayed to your users. If their servers get compromised, your site will be compromised as well.
Can you imagine if the author of the Easing Plugin was malicious? Instead of just that pop-up, they could have added a URL redirect to send all your users to any site they of their choosing (SPAM, porn, you name it). What if their server was hacked? The attackers could have added malware and it would have loaded to all your users.
This is very common. For example, look at the techcrunch.com website (big news outlet). They load JavaScript from all these domains:
http://o.aolcdn.com/ http://pshared.5min.com/ http://js.adsonar.com/ http://scorecardresearch.com/ http://tctechcrunch2011.wordpress.com/ http://platform.twitter.com/ http://connect.facebook.net/ https://apis.google.com/ http://cdn.optimizely.com/ http://r-login.wordpress.com/ http://cdn.insights.gravity.com/
So their security is not only dependent on their own site, but if any of those 11 sites they include in their site gets hacked, it will affect their users as well.
They are not alone. Our own blog, includes code from:
http://disqus.com http://s.gravatar.com http://stats.wordpress.com http://connect.facebook.net/
So our blog security is also dependent on those 4 sites (Facebook, Disqus, Gravatar and WordPress). Including code from Google CDN,Twitter, Facebook or any major publisher is likely low risk being they have a pretty good level of security. That said, there is still a level of risk you are accepting for you and your visitors. Another thing to consider is the risk increases significantly when you include code from smaller and less known locations.
The Solution?
If you are using this plugin, just remove the include from gsgd.co.uk, download the plugin and store it locally. That’s an easy fix.
I also recommend that you look at the source of your site to see what else you have included.
Do a view-source: on your browser and search for <script or <iframe to see what is being loaded. You might be surprised. Our SiteCheck Scanner also prints a list of JavaScript and iframe links we found, so you can use that as well.