Found Malicious Codes in OneSignal

Resolved Swetabh Suman
(@bri1ckman)

7 years, 7 months ago

Dear plugin author,

I was doing a routine check of my all plugins then I found encoded JavaScript code (commonly used to hide malicious behavior) in OneSignal plugin. So, I deactivated the plugin for my security. Please check all JavaScript code and verify that everything is safe then I will activate OneSignal again.

Please take a short look –

cdn.onesignal.com/sdks/OneSignalSDK.js

[[try{if(!Object.assign)return!1;var e=new String("abc");if(e[5]="de","5"===Object.getOwnPropertyNames(e)[0])return!1;for(var t={},n=0;n<10;n++)t["_"+String.fromCharCode(n)]=n;if("0123456789"!==Object.getOwnPropertyNames(t).map(function(e){return t[e]}).join(""))return!1;var i={};return"abcdefghijklmnopqrst".split("").forEach(function(e){i[e]=e}),"abcdefghijklmnopqrst"===Object.keys(Object.assign({},i)).join("")}catch(e){return!1}}()?Object.assign:function(e,t){for(var n,s,a=i(e),u=1;u<arguments.length;u++){n=Object(arguments[u]);for(var c in n)o.call(n,c)%26%26(a[c]=n[c]);if(Object.getOwnPropertySymbols){s=Object.getOwnPropertySymbols(n);for(var l=0;l<s.length;l++)r.call(n,s[l])%26%26(a[s[l]]=n[s[l]])}}return a}},function(e,t,n){"use strict";Object.defineProperty(t,"__esModule",{value:!0});!function(e){e[e.ServiceWorker="ServiceWorker"]="ServiceWorker",e[e.Host="Host"]="Host",e[e.OneSignalSubscriptionPopup="Popup"]="OneSignalSubscriptionPopup",e[e.OneSignalSubscriptionModal="Modal"]="OneSignalSubscr

waiting for your reply

Thank you,
Swetabh Suman
https://hackernucleus.com

Viewing 2 replies - 1 through 2 (of 2 total)

Thread Starter Swetabh Suman
(@bri1ckman)

7 years, 7 months ago

Dear plugin author,

I’m sorry because maybe my report is false positive and I’m not so sure that’s why I’m requesting you to please check from your end and confirm me that everything is fine, and if there is a problem then update OneSignal. This is my favorite plugin.

Thank you,
Swetabh Suman

Plugin Author OneSignal Push Notifications
(@onesignal)

7 years, 7 months ago

Hi Swetabh,

Thanks for your concern. The code you’ve pasted above is not malicious, and our plugin does not contain any malicious code.

The script you’re seeing above is our JavaScript SDK our WordPress plugin inserts on your site’s pages to subscribe users to notifications and allow users to receive notifications. The various kinds of prompts your users see, from the slide-down permission message to the red notify button that appears on the corner of your site, are all created and handled by our JavaScript SDK. Our WordPress plugin wraps this SDK to provide a UI editor to choose options and modify settings, as well as a way to send notifications when new posts are created.

Both our WordPress plugin and JavaScript are open source. You can find the source code at https://github.com/OneSignal/OneSignal-WordPress-Plugin and https://github.com/OneSignal/OneSignal-Website-SDK.

To reduce the time the browser takes to download the JavaScript that runs on your browser, JavaScript code is commonly “minified” by removing unnecessary whitespace and “mangled” by renaming available variables to one-letter characters. The excerpt of our SDK you’ve pasted above is partially the result of minifiying and mangling this dependency (https://github.com/sindresorhus/object-assign/blob/2915ed42f4fd79dbe154442c7bafb0ae21a1868b/index.js) and this part of our code (https://github.com/OneSignal/OneSignal-Website-SDK/blob/d9548bb57459d20354377975b71b3f8a0c8345b7/src/modules/frames/SubscriptionPopup.ts).

Most sites employ this optimization technique of minifying and mangling JavaScript code. The resulting code is hard to read, but is not necessarily malicious.

If you find malicious code, please report it by contacting us at support@onesignal.com. However, please be reasonably confident about whether you think the code is malicious before reporting it, thanks!

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Found Malicious Codes in OneSignal’ is closed to new replies.