So Smashing Magazine got hacked yesterday[1] and I was quite surprised by this because they've moved off WordPress 3 years ago and have been promoting JAMstack ever since for its performance and security.<p>I doubt they will be doing a post-mortem on this, but where would the entry point be? A weak GitHub account without two-factor authentication or something else?<p>[1] https://twitter.com/tonyciccarone/status/1261100239206957056
1. Keyloggers written entirely in CSS have been demonstrated for some time now [a]<p>2. Malicious Javascript could have been embedded into their CI/CD pipeline and made it onto the site.<p>3. Somehow stealing SSH keys from a developer and simply logging into the box to change things at the OS level. In fact, it looks like at least one subdomain of theirs is hosted on GoDaddy. SSH keys for some of their customers were recently compromised. Note that I don't think this actually happened, but wanted to list. [b]<p>4. Smashing Magazine could also improve security by adding the Expect-CT, Feature Policy, and especially a Content Security Policy. Ironically a Smashing Magazine article from 2017 mentions at least having a CSP. [c,d]<p>5. I recall some speech by the NSA at DEFCON, I think in 2012 or something. One of their speakers said that for all the cool stuff they do...95% of this time it's just password reuse that gets people or phishing for credentials. This would seem to me the most likely way and the best investment of a hackers time.<p>[a] - <a href="https://css-tricks.com/css-keylogger/" rel="nofollow">https://css-tricks.com/css-keylogger/</a><p>[b] - <a href="https://www.theregister.co.uk/2020/05/05/godaddy_ssh_login_details_compromised/" rel="nofollow">https://www.theregister.co.uk/2020/05/05/godaddy_ssh_login_d...</a><p>[c] - <a href="https://www.smashingmagazine.com/2017/04/secure-web-app-http-headers/" rel="nofollow">https://www.smashingmagazine.com/2017/04/secure-web-app-http...</a><p>[d] - <a href="https://www.keycdn.com/blog/http-security-headers" rel="nofollow">https://www.keycdn.com/blog/http-security-headers</a>
JAMstack doesn't make you invulnerable but it removes some big surface areas.<p>You've still got to secure e.g. your hosting account, DNS account, Git account, comment system (against injection attacks). Phishing attacks aren't going to go away.
Most of Ourmine’s prior attributed hacks seem to involve compromising an account - whether the original or an email account with it that allows them to reset a password.<p>Someone else mentioned that at least one sub domain is hosted by Godaddy, and that seems like a very easy target.