Website Supply Chain Attacks Continue

 In Articles

We’ve seen an acceleration of attacks from threat actors targeting websites and vulnerable 3rd party JavaScript code. In the past 3 months, Ticketmaster, British Airways, Feedify, Newegg, Shopper Approved and most recently, cryptocurrency vendor Gate.io have all revealed that they have been attacked via compromised 3rd party JavaScript code. This threat vector, launched through third party JavaScript suppliers, is concerning for two reasons: first, it allows hackers to bypass the security precautions of companies with sophisticated security capability, and second, it has the potential to affect web sites and consumers on a massive scale since compromising a single third party JavaScript vendor enables attacks on every website served this JavaScript code.

JavaScript is nearly universally used in dynamic web pages to provide extended functionalities that enhance user experience or provide website analytics. JavaScript interacts with the page’s Document Object Model (DOM) and provides 3rd party JavaScript vendors with the same level of website administration privileges as those granted to the website owner.  Compromised 3rd party JavaScript code is used by threat actors to modify, read or extract any information entered or rendered on the webpage.  This includes personal and financial data. In addition to introducing elevated website security risk, 3rd party JavaScript introduces significant compliance and data privacy concerns since 3rd party JavaScript is hosted outside of the security controls website owners monitor and control.

It’s not enough for website operators to build strong walls and gates around the code they specifically create.  Today’s websites are comprised of 80% 3rd party code. As we’ve seen illustrated in the acceleration of website attacks targeting 3rd party JavaScript code, threat actors circumvent organization’s website security defenses by hacking trusted 3rd party JavaScript suppliers.  The reality is this: if your 3rd party JavaScript partners are compromised, your website is compromised.

Recent Posts

Start typing and press Enter to search