7cbb6cd2 malware

I Fixed My Malware Injection Issue With Content-Security-Protection

Recently I updated the setup on my personal blog. I enabled Content-Security-Protection, and setup the report-uri (so that I would get notification of some of the blocked content).

My expectation is this would be empty. After all, my blog doesn’t host advertising or user-generated content. But to my surprise, I saw some blocked notifications for rasenalong>dot>com (purposely not made a link here). Huh? What is that? Let’s dig in.

After some research I find that some users are getting ads and other scummy content injected on my site. I purposely don’t place ads on it, I don’t want someone else’s message showing up. How could this be? What might those ads say?

It turns out these users have a piece of malware called ‘LNKR‘. It was injecting JavaScript into my served page and then placing ads and tracking my users.

I am appalled. My new changes mean that the users browser will block content that gets injected. So no more ads for me, showing who knows what.

If you have not enabled Content-Security-Policy, or if you just want to check your site, head on over to observatory.mozilla.org. Its 1-minute, its free, its great.

I’ve done a short video to talk about this, feel free to watch and subscribe.