New analysis from Source Defense finds there to be a high prevalence of third-party (and even fourth-party) scripts on most websites — which is concerning because of the relative ease with which they could be used to sneak in malicious code.
Typically, when a webpage calls a third-party script, it is loaded directly into a browser from an external server belonging to the third party. This means the script bypasses controls such as perimeter and Web application firewalls and network monitoring tools, according to the security vendor. The process gives threat actors a way to introduce malicious code into the environment via third-party scripts. The problem is exacerbated by the fact that developers of third-party scripts often include code from other developers that in many cases have sourced code from another developer, Source Defense said.
Yet most organizations use third-party scripts for integrating shopping carts, dynamic forms, processing orders and payments, presenting social media buttons, visitor tracking, and a variety of other functions. The scripts are readily available — often for free — from numerous sources, including open source organizations, social media companies, cloud providers, advertising networks, and content delivery networks, the Source Defense report says.
In an analysis of 4,300 of the world's largest websites, the firm found that each site had 15 externally generated scripts on average — with an average of 12 of them on sensitive pages, such as those for collecting user information or for processing orders and payments. Nearly half (49%) of the websites in Source Defense's study had external code with functionality for retrieving form input and monitoring users' button clicks. More than 20% had external code that could modify forms. Most sites had multiple scripts on every single webpage.
Source Defense found that websites belonging to organizations in some sectors had a substantially higher than average number of third-party scripts than others. Financial services websites, for instance, had an average of 19 scripts on sensitive pages, or 60% more than the average across all sectors. Healthcare organizations had 15 of them on average.
A Tempting Attack Vector for Adversaries
"Adversaries remain hyper-focused on data theft from websites that conduct transactions or capture sensitive data," says Hadar Blutrich, CTO and co-founder of Source Defense.
In recent years, there have been numerous incidents where attackers have manipulated or used third-party scripts to steal user and payment card data, to redirect users to malicious sites, log keystrokes, and carry out a variety of other malicious activity. One well-known example is Magecart, a hacker collective that over the years has pilfered data on hundreds of millions of payment cards by sneaking card-skimming software into third-party scripts on retail websites.
Such attacks can have big consequences for businesses. For example, in one incident in 2018, Magecart hackers sneaked a few lines of code into a British Airways website page that ended up exposing personal data belonging to some 380,000 customers. The airline was later hit was a massive fine of more than $200 million over the incident.
"The attack vector remains broad and open for even the world's largest sites, and the risk of significant material loss is quite real," Blutrich says.
To compromise third-party scripts, threat actors sometimes infiltrate public code repositories, he notes. In other instances, they identify organizations that have large networks of clients and compromise scripts from those organizations to perpetrate one-to-many attacks, he says. As one example, Blutrich points to an attack earlier this year in which over 100 sites related to real estate were compromised after an attack planted malware in a cloud-video component on a site belonging to Sotheby's real-estate arm.
How to Combat External Script Risk
The maturity of enterprise processes for mitigating risk from third- and fourth-party scripts tends to vary, Blutrich notes. In some instances, there's no oversight: Digital and marketing teams act on their own to implement new website functionality and engage with third parties, without involving the enterprise security team.
However, "in more mature cases, we've heard of 'script councils' being in place where digital must work with security/compliance to vet and approve any supply chain partners," he says.
Regardless of the internal processes for approval, more must be done for managing and securing the script, Blutrich says. "Once on the site, even if approved, benign changes from the partners themselves may jeopardize compliance and, obviously, malicious changes from threat actors can lead to major data theft and fraud concerns."