Michael Bittner

The Digital Iceberg: How Third-Party Code Can Break Your Business

2018 was not a year that inspired confidence in our digital ecosystem. In spite of a worldwide effort to promote Internet safety exemplified by GDPR, we saw a 400% increase in global data breaches which no doubt testifies to the growing black market for personal information, the increased availability of tools for attackers and an ever-expanding list of potential attack vectors.

But more importantly, the number of hacks and breaches tells us something about the way businesses are running their digital properties. Websites are vulnerable – too vulnerable. According to a recent study, 1% of sites across the web are infected with malware at any given time, and only 15% of these compromised domains are blocked by browsers like Chrome.

In our experience, the actual number of compromised sites a user will visit per day is much higher than 1%: attackers are opportunistic, specifically targeting high-traffic properties. While giants like Google are mostly beyond their reach, the higher a domain’s Alexis rating, the more likely it is to be riddled with invisible threats.

One might imagine that this problem is exacerbated by complacency: if companies would keep tabs on vulnerabilities and regularly update their online dependencies, attacks would succeed less frequently – right?

While that has a grain of truth to it, the full story is a lot more complex and depressing thanks to a single culprit: third-party code.

The Iceberg of Web Development

The web development stack is tall. We already know that users only see the tip of a very large iceberg which includes back-end architecture, themes, web plugins and scripts that make the web experience possible.

The ubiquity of WordPress in particular has made it a popular target for professional hackers and ‘skiddies’ alike – earlier this year, 600,000 sites were compromised when a rogue employee defaced the WP MultiLingual (WPML) plugin. Last year, similar incidents occurred on a monthly basis.

When it comes to WordPress and other CMS platforms such as Joomla and Drupal, a business can only exercise so much control over its dependencies, which are mostly owned by third-party developers. Nevertheless, choosing trusted vendors and keeping up with the news is a natural place to start for 38% of websites which depend on these platforms.

Unfortunately, doing so can produce a false sense of security, for in reality, third-party code extends much deeper than CMS, themes or plugins, and businesses fixated on this aspect of a website are barely looking deeper than their users.

Third-Party Code Runs Everything

Today, almost no business builds a website from scratch, and doing so borders on masochism. After years of evolution, users expect a great deal from the web experience, and features can be implemented in a few hours which would take months to develop in-house.

Third-party code is therefore generously deployed across the Internet. So much so, that we have found 80-95% of the code running on any domain belongs to someone other than the owner. Examples include,

  • Data management platforms (DMP)
  • Content recommendation systems
  • Community features
  • Social widgets
  • Programmatic advertising

And much more.

These third-parties have their own agenda, fingerprinting the user, dropping cookies and making calls to other domains without the host organization’s knowledge or consent. In a typical case, one popular news site displayed an article feed to its users along with six advertisements. Scanning the property revealed much more behind the scenes, including 163 third-parties and 238 active domains.

As a consequence of this “shadow IT,” a business exercises very little control over its digital assets and leaves its visitors open to a host of potentially malicious actors.

Troubling Consequences

Third-party code didn’t take over the Internet in one night. This problem has been developing for decades, leading to broad ramifications we are only beginning to understand. Programmatic advertising in particular has been used to steal sensitive information, spread fake news and propagate malware.

All of this is bad for a business and its users. But one aspect of third-party code is especially dangerous for an organization’s bottom-line: backdoors which attackers can exploit for access to internal records and administrative functions.

Not all third-party code is created with malicious intent. But most vendors operate on thin profit margins, meaning security is not a high priority; several heavily trafficked media publishers learned this the hard way when ICEPick‐3PC infected their domains through the TweenMax JavaScript library.

Taking Back Control

Today, user trust in the digital ecosystem is being tested with every major hack and data breach. Businesses that depend heavily on third-party code risk compromising customer relationships, and with emerging data privacy legislation like GDPR and CCPA, fines add to the potential ramifications of a successful attack.

It’s no longer enough for organizations to vet their own code or patch surface-level vulnerabilities in front-end applications. Going forward, they must be able to identify who’s operating on their domain to avoid risky third parties.

With digital vendor risk management (DVRM) solutions and regular scans, offenders can be suppressed leaving businesses – and their users – safe and in control.