When it comes to websites of almost any kind, there’s no party like a 3rd party (tools). They help elevate the website’s many capabilities, from UX to analytics, and do so while saving website owners the time and trouble these procedures would otherwise evoke. Without the ability to rely on 3rd parties, chances are that the countless sites we all use would not have the resources to invest in perfecting each process, creating a poor experience for everyone involved. By harnessing the expertise and proven technology developed by other companies, website owners can focus on their site’s main purpose without compromising their performance, appearance or any other standard.
But websites that operate without the required care and attention might end up compromising one critical aspect – their website’s security levels. All of this goodness comes at a price, and in this case, it’s more than just the fee charged by external companies. By bringing in additional tools, website owners expose themselves and their users to cyber attacks in the form of Magecart and Formjacking.
You’d likely say that you have the right internal processes in place for preventing this from ever happening to you, right? Maybe, but more often than not, there are some important things happening behind the scenes…
CRO vs. CMO – the forces behind the scenes
While we’d like to think of a company as a single entity, behind the scenes there are many different forces and opinions, some of which sometimes collide in their perspectives and core missions. A classic example is the inherent conflict of interest between a company’s marketing department and its risk and security ones. For marketers, being able to move fast and implement changes in a heartbeat is important in order to answer the ever-changing market needs and keep up with the latest trends. Risk and security professionals, on the other hand, need to evaluate the risk behind such moves and make sure that any tools implemented in the process do not cause any cybersecurity-related problems.
3rd party tools enable marketers to add promotional content and analytics capabilities that let them share their message more effectively with their target audience. The idea of performing any sort of inspection to ensure that these tools meet the required security standards is immediately translated to delays, which could nullify the entire promotional move or make it irrelevant. Even though security teams are interested in protecting the company’s assets, they often find themselves facing an enormous amount of pressure from other company stakeholders, urging them to cut corners and add more external tools without taking the necessary precautions.
Why are we here?
There is a reason we decided to write this article and launch Source Defense. Our founders know all about 3rd party access to websites and the vulnerabilities that come with them. In their pre-Source Defense lives, they were the ones to provide external tools for websites. After being exposed to sensitive, personal information and realizing the danger of it falling into the wrong hands, they turned the task of making websites safer into their life mission, basing their technology on years of expertise and experience. This shift created a solution to a problem affecting dozens of millions of people worldwide, many not even aware of the dangers.
So, here’s what the 3rd party tools you work with may know about your users
The levels of access that 3rd party tools have to a page might surprise not only users and website owners but the actual 3rd parties themselves. When we’ve spoken to a few key players in the field, we heard stories that could have been funny if they weren’t so upsetting. Here are a few examples:
- Some of the 3rd parties we’ve spoken to have mentioned being exposed to credit card information on the site, despite the fact that the service they provided didn’t require any form of payment and was completely unrelated to the purchasing functionalities.
- Other 3rd party tool owners mentioned being provided with the security questions and passwords chosen by users. When we keep in mind that most people use the same passwords for all of their online accounts, this may very well allow access to an unimaginable amount of data.
- Other information shared with these tools included personal information that had a lot to do with the sensitive content related to the website, such as medical information or dating preferences. These tools were not only able to view the data, but also actively participate in a conversation conducted through the website if they wanted to. This is the type of information that can easily be used for identity theft.
- The data provided to 3rd party tools didn’t only involve the person using the website, but in some cases included information regarding their loved ones. People included details regarding their family on medical, travel sites, and more. This means that even the most carefully private person is subjected to attacks in case one of their relatives decides to share such information online.
- The financial information provided by users also has to do with business accounts owned by them or the companies they work for. This included both payment information and specific details regarding the company’s financial state. Imagine an identity theft case in which malicious groups use this sort of data to present themselves as company executives.
It’s important to keep in mind that in many cases, these 3rd party tools were implemented to allow very basic actions, such as pop-ups and analytics. They have no need for this personal information and yet, they find themselves surrounded by it without even trying. Just think of what happens when malicious forces find their way into a website.
The dangerous turn
It doesn’t require a vivid imagination to figure out what happens when the 3rd party tools implemented on a website have the wrong intentions. Combining a criminal mind with the levels of information to which these tools are exposed to, creates the catastrophes we read about in the news. Website after website, companies of any size and vertical fall victim to Magecart and Formjacking attacks. Hackers take advantage of their free access to manipulate users and collect sensitive information, which is then used to steal their assets or identity. Hackers gain full, developer-level access to the website’s JavaScript code via 3rd party tools, and are able to modify the code and collect the session’s data by “hitchhiking” over the 3rd parties into the website. We’ve explained the process in detail in a previous blog post, discussing some of the key pointers you should pay attention to in order to ensure that your website remains fully protected from Magecart and Formjacking attacks.
The party is only starting
When discussing Magecart and Formjacking attacks, we normally focus on 3rd party vendors, but the truth is that these tools are just the beginning of a very disturbing and risky chain of events. You see, each tool relies on external providers (4th parties) that also gain access to website users’ information, and these 4th parties work with external vendors, and so on. This creates an endless, unmanaged and powerful snowball of information. When websites implement external tools, it becomes impossible for them to know who truly gains access to their most treasured asset: their users’ data. Even trustworthy 3rd party vendors might collaborate with those less worthy of their trust.
Magecart and formjacking attacks create a catch 22 for website owners and users. Eliminating 3rd party tools is out of the question, as it would result in slow, outdated and poorly functioning websites. On the other hand, continuing to ignore the critical problems detailed in this article is dangerous. Website owners who refuse to compromise their audience’s security and user experience should pay closer attention to this issue. Only by raising our heads from the sand and collaborating with advanced, dedicated cybersecurity solutions will we be able to provide the world with websites that are both advanced and secure.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.
