3rd Party JavaScript Threat Overview

Executive Summary

A universal website flaw that leaves customer & payment data exposed has been increasingly exploited by attackers at mass scale. This flaw prevents website owners from controlling what data can be accessed/stolen by their website supply chain vendors and the hackers that exploit them. Every website is susceptible to this attack vector as no component of traditional security programs can prevent client-side 3rd party JavaScript modification. This threat briefing is intended to raise awareness of this universal flaw and introduce preventative measures that may be taken.

3rd Party Website JavaScript Overview

3rd party JavaScript refers to scripts, made available from 3rd party vendors, that are embedded into websites to enrich customer experience, enhance analytics, and monetize sites via advertising. 3rd party scripts can provide powerful functionality, but they introduce risks to privacy, security, performance, and page behavior.
There is a strong correlation between the number of 3rd party JavaScript enhancements and overall website effectiveness. However, increased utilization of 3rd party tools leads to increased risk from an uncontrolled and rapidly expanding attack surface.

Inherited & Uncontrolled Risk

Due to the designed flexibility of JavaScript, external 3rd party JavaScript authors, like those integrated onto every website, have full, developer-level DOM access to your site via an unmanaged client-side connection. This means that website owners are unable to control website authorship and modification privileges for any of the dozens of 3rd parties integrated into their website. More troubling is that these 3rd parties routinely chain-in multiple 4th and 5th parties that share the same level of unrestricted access to your website. It is these unmanaged client-side website connections that attackers have increasingly been targeting to modify the website experience and exfiltrate customer & payment data.

Supply Chain’s Weakest Link & Scalability of Attack

The uncontrolled access afforded 3rd party JavaScript provides threat actors with an attractive path to penetrate a website’s security and exfiltrate customer & payment data. Instead of directly targeting the defenses of the highly secured website owner, threat actors target the comparatively less secure 3rd party vendor’s security infrastructure. Once breaching the security defenses of a 3rd party vendor, or a linked 4th party, threat actors leverage the flexibility of JavaScript to modify the code returned from the external 3rd party server to the client-side browser. Frequently these modifications involve the inclusion of card skimming code or other means of data exfiltration. Of additional benefit to attackers, this attack type is massively scalable as the attackers immediately gain access to every website served by the compromised 3rd JavaScript vendor. This is precisely how Magecart successfully scaled its attack to compromise thousands of victims.

Page Load Flow With 3rd Parties

Inadequacy of Traditional Controls

It is highly advised that security teams diligently evaluate this attack vector since current controls are not capable of preventing these types of attacks. The most common approach to address website security is reactive, detection technologies (DAST, RASP). By definition, these technologies are designed to allow some impact before a response can be evoked. Detection technologies are not designed to dynamically monitor every website session and are incapable of scaling to effectively prevent client-side attacks. Today’s data privacy compliance requirements also mean that detection-events require disclosures and may result in fines. Most troubling, detection technologies allow the threat to persist as the underlying flaw, related to 3rd party vulnerabilities, remains unaddressed.

Recent JavaScript Attacks

June 2018 – MageCart Threat Actor
Since March 2016, payment card and private customer data has been stolen during payment processing from dozens of major E-Commerce vendors worldwide. The ultimate scope of the MageCart attack impacts thousands of websites and operated largely undetected for 3+ years. This is possibly one of the largest payment card thefts ever discovered. Notable victims include Ticketmaster,
British Airways and NewEgg. Malicious JavaScript code acting as a form grabber or a simple keylogger was injected via compromised 3rd party JavaScript vendors integrated onto compromised websites. As buyers provided payment details, the data was captured and sent in real time to the MageCart threat actor. Significant GDPR data privacy compliance implications are evident in this large-scale

It’s critical to note that this method is completely new and entirely different than traditional hacking methods to steal payment details which typically seek to infect the buyer’s computer, implant malware in Point of Sale terminals, or infiltrate corporate defenses to access stored databases from breached E-Commerce vendors. This new attack vector in increasing in scope and capable of launching
attacks at massive scale. This is particularly evident in the MageCart attack.

April 2018 – 3rd Party Chatbot Service [24]7.ai Compromised
A chat and support service integrated onto notable vendors including Delta, Sears, Best Buy and Kmart was infiltrated and resulted in over 1M credit card numbers being skimmed from these well-known enterprise web commerce sites. Again, attackers leveraged JavaScript to skim payment record details and exfiltrate these data to servers owned by the threat actors.

October 2017 – Malicious Re-Directs from Major US-Based Credit Agencies
A 3rd party integrated onto Equifax and TransUnion websites included JavaScript code from a compromised fourth party. The JavaScript was modified to ensure that when the credit agency site loaded the victim’s browser was redirected to malware. The site owners acknowledged that “Anyone using the (compromised) library may have been affected, and not even know that they been compromised.” The agency further acknowledged that this JavaScript attack allowed the attacker to access victim’s data, submit false data on behalf of the victim, or deface the (Equifax or Agency) page.

Watering Hole Attack on EU parliament
This attack illustrates that compromising 3rd party vendors can be leveraged to launch hyper segmented, targeted attacks. An ad network operating on a news website frequented by parliament members was breached and used to redirect users to a webpage which distributed targeted malware directly to parliament users only.

When deployed at small scale, attacks leveraging the flexibility of JavaScript to launch client-side attacks, are particularly hard to detect. In many cases these attacks may be implemented, sensitive data exfiltrated and all evidence of the infiltration subsequently removed as the modified JavaScript is returned to its original state.

Source Defense V.I.C.E.

Source Defense provides an entirely new and unique solution to prevent website supply chain attacks. Source Defense’s real-time, all-the-time prevention leverages a fully automated and machine-learning assisted set of policies that control the access and permissions of all 3rd party tools operating on a website. The Source Defense solution ensures those 3rd parties only deliver the intended user experience and may not be leveraged for malicious data extraction or website alteration.

By removing the security, risk, and compliance considerations from 3rd party integrations, Source Defense saves countless man-hours spent on tests and integrations. This allows website owners to focus on enhancing user experience and driving web commerce revenues while ensuring the security and privacy of customer and payment data.

Start typing and press Enter to search