Megathread: Lottiefiles plugin / canvasUI compromised (crypto popups in apps)

ron2 · 2024-10-30T22:00:37.074Z

How long do you anticipate deploying this fix will take? Not sure if we should be implementing the script in header solution if this fix will take effect shortly. Thanks. Watching the status page, but an estimate would be great.

yardilloapi · 2024-10-30T22:06:41.730Z

You’re right, this isn’t a Bubble-only issue. As a service provider, I rely heavily on the reliability of my suppliers. When one of them falters, it impacts the entire operation. That’s why it’s crucial to have contingency plans and multiple safeguards in place. My aim is to ensure seamless service for my customers, regardless of any hiccups that might occur behind the scenes. It’s about maintaining trust and upholding the standards that clients expect.

viable · 2024-10-30T22:12:37.977Z

I’m not following your argument here. I’m at times critical of Bubble and it’s security, but this isn’t one of those times.

If you had your own Bubble “instance” as you quote, you’d be having the exact same issue. If you ran a fully custom web app that required this package, you’d be having the exact same issue.

It’s not Bubble’s fault a third-party package was infected. You could have solved this issue yourself, with or without Bubble, by deleting the package or installing some level of CSP.

georgecollier · 2024-10-30T22:18:06.558Z

viable:

I’m not following your argument here.

I think it’s ChatGPT talking

fede.bubble · 2024-10-30T22:20:00.983Z

How’s everyone looking now?

NexradJosh · 2024-10-30T22:22:31.398Z

FYI, Airdev just pushed updates for Canvas UI Elements and Loader / Loading Screen + Lottie plugins to point to 2.0.4 instead of latest. Upgrade those to be doubly safe.

yardilloapi · 2024-10-30T22:24:32.504Z

Looking good now, no more popups. By the way, it started without any warning, and I haven’t updated my site or used that plugin. You can check all the plugins I’m using. I’d love to hear the root cause analysis.

razvan · 2024-10-31T00:00:02.066Z

Would love to learn more about this as well.

johnny · 2024-10-31T00:42:20.746Z

It could be any plugin you’re using that uses the Lottie Files library.

It doesn’t require any type of update from your Bubble apps because the plugin likely references https://unpkg.com/@lottiefiles/lottie-player@latest (which references the latest version of the library) which contains the bad code.

From reading GitHub it looks like one of their developer’s NPM secret tokens must’ve been hijacked and used to make bad deploys directly to NPM because there are no PRs on GitHub for this.

jawish commented 1 hour ago

We are still investigating but it seems like, as you folks have identified, @Aidosmf token was compromised.

The token was used to publish versions 2.0.5, 2.0.6, 2.0.7 in succession releases over 3 hours.

2.0.5 - pushed to npm at 8:12 PM GMT, 30 Oct 2024
2.0.6 - pushed to npm at 8:35 PM GMT, 30 Oct 2024
2.0.7 - pushed to npm at 9:57 PM GMT, 30 Oct 2024

We have removed the compromised account access and published a new 2.0.8 version that is a copy of the 2.0.4, for all those of you who are using the implicit latest tag via CDNs.

If you are using it by explicitly specifying the version and are using any of the affected versions, please change to 2.0.4 or 2.0.8. We have reached out to npm to help unpublish the affected versions as their web portal and CLI is not letting us unpublish the affected versions.

It looks like their VP of Engineering put a fix out for this in version 2.0.8 of the library

Edit: Lottie Files published a postmortem: x.com

boston85719 · 2024-10-31T04:31:58.910Z

I just saw that my code uses the ‘latest’, I should switch to yours

Screen Shot 2024-10-31 at 11.28.23 AM348×149 12.5 KB

@dorilama thanks for the details

dorilama:

the author should have pinned the version in the url instead of loading the latest version every time.

Nobody had mentioned anything like that previously in the thread. When capturing that code from lottie files directly, they provide the code with the ‘latest version’ using the @latest instead of the current player. I’d imagine a lot of plugin developers are finding the code in the same way I had. Good to know that and from now on, when using this code directly in the app via HTML, I’ll look to avoid the @latest and use a specific player as @julianno.09 does.

nattu · 2024-10-31T04:45:34.902Z

Incident Response for Recently Infected Lottie-Player versions 2.05, 2.06, 2.0.7

Comm Date/Time: Oct 31st, 2024 04:00 AM UTC

Incident: On October 30th ~6:20 PM UTC - LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code. This does not impact our dotlottie player and/or SaaS services. Our incident response plans were activated as a result. We apologize for this inconvenience and are committed to ensuring safety and security of our users, customers, their end-users, developers, and our employees.

Immediate Mitigation Actions

Published a new safe version (2.0.8)
Unpublished the compromised package versions from npm
Removed all access and associated tokens/services accounts of the impacted developer

Impact

Versions 2.0.5, 2.0.6, 2.0.7 were published directly to npmjs.com over the course of an hour using a compromised access token from a developer with the required privileges.
The unauthorized versions contained code that prompted for connecting to user’s crypto wallets.
A large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release. With the publishing of the safe version, those users would have automatically received the fix.

Recommended Steps

If using 2.0.5, 2.0.6 and 2.0.7 versions please update to the latest version 2.0.8
SHA: sha512-PWfm8AFyrijfnvGc2pdu6avIrnC7UAjvvHqURNk0DS748/ilxRmYXGYkgdU1z/BIl3fbHCZJ89Zqjwg/9cx6NQ==
If you are unable to update the player immediately, it is recommended that you communicate to Lottie-player end-users to NOT accept any attempts to connect their crypto wallets.

Next Steps

LottieFiles continues to work through its incident response plan and has also engaged an external incident response team to help further investigate the compromise.
We have confirmed that our other open source libraries, open source code, Github repositories, and our SaaS were not affected.

If you believe you’re affected, don’t hesitate to reach out to us at priority_support@lottiefiles.com

randomanon · 2024-10-31T05:53:25.038Z

Such a crazy coincidence, I was thinking about installing this a few weeks ago and then I thought to myself “Nah it doesn’t seem worth the security risk just for animations” and then this happens.

boston85719 · 2024-10-31T05:59:11.476Z

What did you see that highlighted potential security risks?

randomanon · 2024-10-31T06:02:51.774Z

Nothing specific, just a bunch of little things. You can obviously have this happen with any 3rd party JS library, but their site was slow/buggy/glitchy and it just felt amateur and unpolished. My other concern was that you can possibly insert malicious code in the .JSON files instead of the animation code. Really didn’t like that the animation files used .JSON.

chrisdsn · 2024-10-31T06:51:15.109Z

Just to confirm: Is it safe to install the plugin now??

amitshemla · 2024-10-31T06:52:35.858Z

Help! i also have this issue but i dont have the lottie plugin, i do have 72 times an HTMLs with the lottie ifram code… What will be the best option? what should i do?

chrisdsn · 2024-10-31T06:53:29.149Z

Do you still see the pop up?? I deleted the plugin yesterday and didn’t see it again.

LA81638 · 2024-10-31T07:40:51.993Z

There’s some code higher up this thread that you can add to your header to stop it

lindsay_knowcode · 2024-11-12T15:57:13.389Z

If you or your clients are a little anxious after this event - see this post on how to do a risk assessment of all the javascript libraries in use in your Bubbbe app.

How to do a Javascript library Risk Assessment (after the Lottie debacle) Tips

After the debacle with Lottie a few weeks ago, Enterprise customers wanted a risk assessment of ALL plugin libraries used in their Bubble apps. What is the potential risk of any other imported JS libraries? I’ve created a Chrome extension - it lists all the Javascript libraries that your App loads. https://chromewebstore.google.com/detail/js-library-lister/oindknlkenlfcanfhmgoifleiaomgnjf Once you’ve installed the Chrome extension “pin” it so you can see its icon in the extension bar. Then …

fede.bubble · 2024-11-12T16:37:30.610Z

This issue was resolved