Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:00 PM

Attacks on JavaScript Services Leak Info From Websites

Three marketing tools, including the Best Of The Web security logomark, were compromised in supply chain attacks, allegedly leaving website customers leaking their users' sensitive information.

In the latest breaches to highlight the dangers of insecure software supply chains, attackers compromised three marketing services by injecting obfuscated JavaScript to install code that scraped information from thousands of websites, including user login information and credit-card details.

On May 12, Willem de Groot, a security analyst with Sanguine Security, announced that digital-marketing tool Picreel, open-source Web form plugin Alpaca, and Best Of The Web's security logomark program had all been compromised and implanted with obfuscated JavaScript code to collect information on the visitors to any site that used the three online tools. The attack likely allowed the criminals behind the code to record keystrokes from thousands of websites, de Groot says.

"The economics of this is that, if you hack one project or supplier, you get a huge multiplier for your effort, so it is all about return on investment for the attacker," he says. "So if he has to spend a couple weeks digging through code on a single project, but then be able to compromise thousands of stores, then that is a good investment from his perspective."

The attack underscores that companies need to better track the risk they assume when using third-party code — especially popular open source components. Anywhere between 40% and 90% of Web application code is typically from open source components, and when companies rely on third-party services, they have to take into account that code as well, says Mike Bittner, associate director of digital security and operations at The Media Trust, a software security firm.

"Most companies have not done an audit of how much third-party code their websites and applications use, the full inventory of what is being used, and then buckling down and staying up to date," he says. "When an app is rolled out, most companies will do their due diligence and do security testing. But after that, many will not keep up to date on the security and don't realize their risk."

Supply chain attacks have become a much bigger problems for companies. Often, online criminals and nation-state actors will compromise the network of a less-secure supplier as a side door into a more-secure target company. However, attackers are also targeting open source software projects and commercial software as a way to insert vulnerabilities or malicious code that can later be activated. 

In 2018, for example, security researchers notified system-management utilities maker Piriform — recently acquired by Avast — that the latest version of its Windows utility CCleaner had been infected with malware during development. And late last year, software supply-chain management firm Sonotype revealed that hackers had attempted to inject malicious code into open source software 11 times in the past 30 months.

On Sunday, de Groot announced that hackers had compromised marketing firm Picreel's website plugin, collecting information from users of the more than 1,200 sites using the tool. Picreel removed the code, according to de Groot, but did not return a request for comment from Dark Reading.

The same day, de Groot reported that content management system provider Cloud CMS had also been impacted by a similar hack, but only a small numbers of Cloud CMS customers that used the Alpaca forms plugin and the default content distribution network (CDN) were actually impacted, according to the company. 

"This file is not part of Cloud CMS, cloudcms.com, or any of our products, customer websites, data, or applications," said Michael Uzquiano, chief technology officer at Cloud CMS, in a statement emailed to Dark Reading. "The security of Cloud CMS, its customers, and its products has not been compromised."

After being notified by de Groot, the company quickly disabled the free Alpaca CDN, determined the hacker had injected code at the end of the minified Alpaca file, and then reinstantiated the CDN using Amazon S3 and a clean set of files.

"Typically, folks download this from GitHub and build it on their own," Uzquiano said. "They then integrate it into their products. The free CDN version runs on Amazon Cloud Front, using an origin-backed distribution. It is offered as a convenience to help people try out Alpaca quickly."

In perhaps the most ironic breach, attackers compromised the JavaScript behind the Best Of The Web security logo program that checks sites before displaying the logomark. The company is investigating the issues, said Brian Prince, CEO of Best of the Web.

"Earlier today, we were notified that the script we use to display trust seals that we host on Amazon’s content delivery network (CDN) was compromised," he told Dark Reading in an emailed statement. "We took immediate action to remedy the situation and are in the process of informing those who were affected. We will be conducting a full security audit of our hosted accounts to ensure that this does not happen again.”

The common denominator between the different compromises appears to be that the JavaScript was stored in Amazon Simple Storage Service (S3) buckets. So either the developers left the storage servers open to public access or they may have published the digital keys to the S3 buckets to the cloud, de Groot says.

"These companies have not disclosed the original entry vector," he says. "However, what you often see is developers mistakenly store the secret access codes into their Github repositories and then they leak. And if you have these access codes, you have control of the content."

Related Content




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-29
WSO2 Enterprise Integrator 6.6.0 or earlier contains a stored cross-site scripting (XSS) vulnerability in BPMN explorer tasks.
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.