While Donald Trump pleads with Russia to hack Hillary Clinton’s email accounts, the GOP candidate narrowly avoided his own cybersecurity fiasco. As engineer Shu Uesugi pointed out, Trump’s donation page was susceptible to an injection attack (until yesterday; Uesugi’s post brought about a quick fix).
What he discovered was that on the donation page Trump’s site was loading an external JavaScript file from a GitHub repository. In layman’s terms, it was requesting and running code that was authored and stored on servers that didn’t belong to the Trump web operation.
Generally speaking, this is not a worrisome practice. Calling external files happens often on the web. In fact, it’s often preferred. For example, rather than hosting and loading fonts yourself, you can just request them from Google, saving yourself bandwidth costs and shortening load times. Loading jQuery, a popular variant of JavaScript, is often performed the same way. It can also backfire, like during this past spring when a deleted Node.js package used by some of the biggest websites caused thousands of sites to malfunction.
There is not much hazard in this. Google and jQuery are large projects whose stability can be relied upon. The problem with Trump’s website was that it was calling a JavaScript file from Github, a leading version-control service. It allows developers to iterate on their programs, saving snapshots of code as work progresses. More importantly, because of how git, the program at the heart of Github, works, it allows other users to submit changes to projects.
This is known as a pull request. If somebody makes changes to a project, they can submit a request to that project’s owner, asking the owner to “pull” their changes into the main branch. So if someone wanted to mess with Trump’s site, all they’d need to do is submit a pull request to the Github repository, and have it be accepted. In fact, after the exploit was publicized, someone submitted an “URGENT FIX” which would have changed the background of the page to an image of Trump and Putin making out. In the grand scheme of possible hacks, that’s not so bad.
