Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:00 PM

Attacks on JavaScript Services Leak Info From Websites

Three marketing tools, including the Best Of The Web security logomark, were compromised in supply chain attacks, allegedly leaving website customers leaking their users' sensitive information.

In the latest breaches to highlight the dangers of insecure software supply chains, attackers compromised three marketing services by injecting obfuscated JavaScript to install code that scraped information from thousands of websites, including user login information and credit-card details.

On May 12, Willem de Groot, a security analyst with Sanguine Security, announced that digital-marketing tool Picreel, open-source Web form plugin Alpaca, and Best Of The Web's security logomark program had all been compromised and implanted with obfuscated JavaScript code to collect information on the visitors to any site that used the three online tools. The attack likely allowed the criminals behind the code to record keystrokes from thousands of websites, de Groot says.

"The economics of this is that, if you hack one project or supplier, you get a huge multiplier for your effort, so it is all about return on investment for the attacker," he says. "So if he has to spend a couple weeks digging through code on a single project, but then be able to compromise thousands of stores, then that is a good investment from his perspective."

The attack underscores that companies need to better track the risk they assume when using third-party code — especially popular open source components. Anywhere between 40% and 90% of Web application code is typically from open source components, and when companies rely on third-party services, they have to take into account that code as well, says Mike Bittner, associate director of digital security and operations at The Media Trust, a software security firm.

"Most companies have not done an audit of how much third-party code their websites and applications use, the full inventory of what is being used, and then buckling down and staying up to date," he says. "When an app is rolled out, most companies will do their due diligence and do security testing. But after that, many will not keep up to date on the security and don't realize their risk."

Supply chain attacks have become a much bigger problems for companies. Often, online criminals and nation-state actors will compromise the network of a less-secure supplier as a side door into a more-secure target company. However, attackers are also targeting open source software projects and commercial software as a way to insert vulnerabilities or malicious code that can later be activated. 

In 2018, for example, security researchers notified system-management utilities maker Piriform — recently acquired by Avast — that the latest version of its Windows utility CCleaner had been infected with malware during development. And late last year, software supply-chain management firm Sonotype revealed that hackers had attempted to inject malicious code into open source software 11 times in the past 30 months.

On Sunday, de Groot announced that hackers had compromised marketing firm Picreel's website plugin, collecting information from users of the more than 1,200 sites using the tool. Picreel removed the code, according to de Groot, but did not return a request for comment from Dark Reading.

The same day, de Groot reported that content management system provider Cloud CMS had also been impacted by a similar hack, but only a small numbers of Cloud CMS customers that used the Alpaca forms plugin and the default content distribution network (CDN) were actually impacted, according to the company. 

"This file is not part of Cloud CMS, cloudcms.com, or any of our products, customer websites, data, or applications," said Michael Uzquiano, chief technology officer at Cloud CMS, in a statement emailed to Dark Reading. "The security of Cloud CMS, its customers, and its products has not been compromised."

After being notified by de Groot, the company quickly disabled the free Alpaca CDN, determined the hacker had injected code at the end of the minified Alpaca file, and then reinstantiated the CDN using Amazon S3 and a clean set of files.

"Typically, folks download this from GitHub and build it on their own," Uzquiano said. "They then integrate it into their products. The free CDN version runs on Amazon Cloud Front, using an origin-backed distribution. It is offered as a convenience to help people try out Alpaca quickly."

In perhaps the most ironic breach, attackers compromised the JavaScript behind the Best Of The Web security logo program that checks sites before displaying the logomark. The company is investigating the issues, said Brian Prince, CEO of Best of the Web.

"Earlier today, we were notified that the script we use to display trust seals that we host on Amazon’s content delivery network (CDN) was compromised," he told Dark Reading in an emailed statement. "We took immediate action to remedy the situation and are in the process of informing those who were affected. We will be conducting a full security audit of our hosted accounts to ensure that this does not happen again.”

The common denominator between the different compromises appears to be that the JavaScript was stored in Amazon Simple Storage Service (S3) buckets. So either the developers left the storage servers open to public access or they may have published the digital keys to the S3 buckets to the cloud, de Groot says.

"These companies have not disclosed the original entry vector," he says. "However, what you often see is developers mistakenly store the secret access codes into their Github repositories and then they leak. And if you have these access codes, you have control of the content."

Related Content




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-15
In all versions of Eclipse Web Tools Platform through release 3.18 (2020-06), XML and DTD files referring to external entities could be exploited to send the contents of local files to a remote server when edited or validated, even when external entity resolution is disabled in the user preferences.
PUBLISHED: 2020-07-15
Inappropriate Encoding for output context in McAfee Web Gateway (MWG) prior to 9.2.1 allows remote attacker to cause MWG to return an ambiguous redirect response via getting a user to click on a malicious URL.
PUBLISHED: 2020-07-15
Malicious operation of the crafted web browser cookie may cause a stack-based buffer overflow in the system web server on the EDR-G902 and EDR-G903 Series Routers (versions prior to 5.4).
PUBLISHED: 2020-07-15
"HCL Verse for Android was found to employ dynamic code loading. This mechanism allows a developer to specify which components of the application should not be loaded by default when the application is started. Typically, core components and additional dependencies are loaded natively at runtim...
PUBLISHED: 2020-07-15
Nessus 8.10.0 and earlier were found to contain a Stored XSS vulnerability due to improper validation of input during scan configuration. An authenticated, remote attacker could potentially exploit this vulnerability to execute arbitrary code in a user's session. Tenable has implemented additional i...