Hackers seed StatCounter with nasty JavaScript in elaborate Bitcoin cyber-heist caper One of the top traffic metrics websites on the internet is apparently being used by criminals to steal Bitcoins from a currency exchange. Researchers at ESET have found that the JavaScript used by StatCounter's analytics platform has been modified by miscreants so that when embedded into the pages of Gate.io, a cryptocurrency …
JavaScript is far to powerful and is able to do far to many things. Couple that with most websites run far to many off site scripts severed by third party sites. If your running third party scripts you better be sure they are secure.
Even this page has 4 of sites scripts.
I've been blocking StatCounter for many years; it was one of the first domains that I started blocking back when concerns about tracking started to emerge. Anyone doing financial transactions on a computer should have effective blocking in place, but I realise that a lot users do not.
The only reason it was created was to force pages to behave in ways HTML did not work. HTML was all that was needed, but corporate mandate forced Javascript into existence to make company web sites conform to what the company wanted - its precious "brand recognition".
It went downhill from there.
In my experience (dating back to 1994) take up of JavaScript was primarily driven by 'web designers' trying to compete with each other in producing show-off sites. The rise of the smart phone exacerbated the problem, as it became trendy to consider every web page as an 'app'. Now we find JavaScript doing utterly unnecessary things, frequently replacing the functionality of intentionally disabled HTML - for example, hyperlink targets coded as "#" and resolved only by JavaScript.
The fundamental problem here is that site user security is an externality to the web developer, who is often blindly using high level abstracted development tools that generate script-ridden pages, and who maybe never even examine the page source that has been created.
You only have to examine the source of web pages to see consistent patterns of coding that are unlikely to be the outcome of individual decisions. Most notable is the almost universal entire site map at the top of every page, presented as a massive JavaScript driven menu. Not only is this not navigable with scripting disabled, but it also thwarts users of screen readers, as they have to listen to the entire site map before getting to the interesting content of the page.
However it's clear that nobody really cares, even about accessibility. There are many comments from web developers on record to the effect that the proportion of users who disable JavaScript is so tiny that they don't count as potential customers, and an increasing number of sites are entirely inaccessible unless it's enabled. So tough on them - I take my business somewhere else.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
