6/09/2015

Explaining the "Mystery Code"

Currently the population of the Internet in India and also the media is talking about the "script injection" discovery that Thejesh GN (@thej) made, who claims to be a programmer.

Our country's Telecorps like Airtel, Vodafone, Aircel to name a few have been always a victim of allegations regarding their service and their quality.

About the Script Injection

The same thing happened a few days back when the aforementioned coder claimed to make a break-through discovery of a malicious and mysterious script that was being inserted in every website he visited.

The only proof and reproduction of the script injection was demonstrated with this screenshot of the source code of "thej.in" where a JavaScript code (the de facto scripting language of the web) was added in the website's source.

source: Trak.in

This is the complete HTML markup that the coder wanted to show was this:
<script type='text/javascript' src='http://223.224.131.144/scripts/Anchor.js'></script>

Apart from that there were no explanations or any other research which proved how the injected script got there and most importantly what it did!

I checked the host IP address on a IP tracer and it looks like it is being hosted in Bangalore, India and the ISP is Airtel. That is what I think led the coder assume that Airtel played with the privacy with this mere JavaScript code.

The Coder Got A Notice from FlashNetwork 

The main thing that actually sparked the news was the discoverer getting a noticed for explicitly posting the code on his Github Repository. The Israeli company Flashnetwork consequently filed a DMCA complaint and also sent a notice to him for the takedown of the code and it was taken down.

I when read the news on a blog too thought this might be something very serious if a professional/qualified programmer have made the discovery and warned people about this and searched for the code that was the center of the topic.

Explaining The Mysterious Code that Might Compromise your Privacy

That's what the coder claimed. But later when I found the code it was this:
/**
 * Automatically executed if DOM is ready
 */
$(function() {
    $('a[href*=#]').anchor({
        transitionDuration : 1200
    });
});

/**
 * anchor.js - jQuery Plugin
 * Jump to a specific section smoothly
 *
 * @dependencies jQuery v1.5.0 http://jquery.com
 * @author   Cornel Boppart 
 * @copyright  Author
 
 * @version  1.0.5 (02/11/2014)
 */

;(function ($) {
 
 window.anchor = {
  
  /**
   * Default settings
   *
   */
  settings: {
   transitionDuration: 2000,
   transitionTimingFunction: 'swing',
   labels: {
    error: 'Couldn\'t find any section'
   }
  },

  /**
   * Initializes the plugin
   *
   * @param {object} options The plugin options (Merged with default settings)
   * @return {object} this The current element itself
   */
  init: function (options) {
   // Apply merged settings to the current object
   $(this).data('settings', $.extend(anchor.settings, options));

   return this.each(function () {
    var $this = $(this);

    $this.unbind('click').click(function (event) {
     event.preventDefault();
     anchor.jumpTo(
      anchor.getTopOffsetPosition($this),
      $this.data('settings')
     );
    });
   });
  },

  /**
   * Gets the top offset position
   *
   * @param {object} $object    The root object to get sections position from
   * @return {int}  topOffsetPosition The top offset position
   */
  getTopOffsetPosition: function ($object) {
   var href = $object.attr('href'),
    $section = $($(href).get(0)),
    documentHeight = $(document).height(),
    browserHeight = $(window).height();

   if (!$section || $section.length < 1) {
    throw new ReferenceError(anchor.settings.labels.error);
   }

   if (($section.offset().top + browserHeight) > documentHeight) {
    return documentHeight - browserHeight;
   } else {
    return $section.offset().top;
   }
  },
  
  /**
   * Jumps to the specific position
   *
   * @param {int}  topOffsetPosition The top offset position
   * @param {object} settings   The object specific settings
   * @return {void}
   */
  jumpTo: function (topOffsetPosition, settings) {
   var $viewport = $('html, body');

   $viewport.animate(
    {scrollTop: topOffsetPosition},
    settings.transitionDuration,
    settings.transitionTimingFunction
   );

    // Stop the animation immediately, if a user manually scrolls during the animation.
   $viewport.bind('scroll mousedown DOMMouseScroll mousewheel keyup', function(event){
    if (event.which > 0 || event.type === 'mousedown' || event.type === 'mousewheel') {
     $viewport.stop().unbind('scroll mousedown DOMMouseScroll mousewheel keyup');
    }
   });
  }

 };

 $.fn.anchor = function (method) {
   // Method calling logic
  if (anchor[method]) {
   return anchor[method].apply(this, Array.prototype.slice.call(arguments, 1));
  } else if (typeof method === 'object' || !method) {
   return anchor.init.apply(this, arguments);
  } else {
   return $.error('Method ' + method + ' does not exist on jQuery.anchor');
  }
 };

})(jQuery);

As being a professional web developer I analyzed the code and found that this is nothing but a mere script that provides smooth scrolling effect on websites. And it was nothing like what the person was successful in making people believe it was.

I can't start to wonder what led Thejesh assume that the code was something injected suspiciously by Airtel to exploit their privacy. But whatever it was, it was not right and not true either.

Taking Sides?

Sorry, not. There is nothing like taking the side of the Telecorps to protect them. Through my research this is what I found. This case is a case of ignorance on the part of the coder who spread this and the people who believed this without researching much.

On the side note I have been on Airtel's network and honestly that IP address or no similar script nor any script was ever injected into the sites. Though it is to note that ISPs do insert small snippets of codes, for example the mobile Facebook site where they insert their home page's link but that's all. Anything unethical is wrong, and should be acted against.
Deepak Kamat Blogger Guwahati
POSTED BY

He is a web designer and deveveloper by profession but loves to write about his city and interesting acitvities going on in it.

Writes small stories from small places in Guwahati and tries to help develop it with his blog.

2 comments:

  1. >That's what the coder claimed. But later when I found the code it was this...

    It's unclear, what was a source of this js code for you. So with it your research is not good enough.
    If you get this code from 223.224.131.144, then you can get already replaced code by authors.

    So you have to get code from github to say very loud words about someone quality. Or your quality will be under question. I hope, you understand it.


    It's suspicious for me, that js not available now, but the reason of it can be availability only for Aircel network, so I can't take it as pro or contra.

    "$ wget 223.224.131.144/scripts/Anchor.js
    --2015-06-11 11:03:07-- http://223.224.131.144/scripts/Anchor.js
    Connecting to 223.224.131.144:80... failed: Connection timed out.
    Retrying.

    --2015-06-11 11:03:30-- (try: 2) http://223.224.131.144/scripts/Anchor.js
    Connecting to 223.224.131.144:80... failed: Connection timed out.
    Retrying.


    --2015-06-11 11:03:53-- (try: 3) http://223.224.131.144/scripts/Anchor.js
    Connecting to 223.224.131.144:80... ^C
    $ ping 223.224.131.144
    PING 223.224.131.144 (223.224.131.144) 56(84) bytes of data.
    From 223.224.40.68 icmp_seq=1 Time to live exceeded
    From 223.224.40.68 icmp_seq=2 Time to live exceeded
    ^C
    --- 223.224.131.144 ping statistics ---
    2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1000ms


    ReplyDelete
  2. In the next post you wrote "Finally a backup was found". You should provide link to archive and explain the way you get it with enough details. Otherwise people may think you are "with bad guys"/just promote of yourself on this wave. As you know techguys always like operate with real details/facts/etc, not just someone's words (not important, is it @Thejesh GN, @Deepak Kamat or someone else) By the way, the fact of DCMA and some other details doesn't speak well of Airtel&FlashNetworks.

    ReplyDelete