Danny Bradbury

Why Malicious Third-Party Code is a Problem and What to Do About It

In a previous article, we explored the security risks that third-party code can bring to your website. In short, otherwise useful third-party libraries may contain malicious code that targets your visitors and customers. By auditing that code to make sure the source is safe, you can mitigate the risk of danger: however, this does not eliminate the risk that malicious domains will gain access to your website through trustworthy third parties.

Web developers are not the only ones who use external code to make their jobs easier: third-party developers may also depend on external code, leading to 4th, 5th and 6th party code on your website. Today, the average website contains over 100 third-party domains at any given time, making them hard to scan or protect against. Even worse, these domains are constantly changing: if you solve one problem, another will quickly appear.

Imagine that you decide to renovate your home, so you call a trusted contractor (Kurt) for help: you ask him to install new sinks in your kitchen, change tiles, and much more. You trust Kurt. But while you expect him to bring some assistants, you are surprised when he shows up with a crowd of subcontractors – even Kurt doesn’t know who they are. Soon, they are trashing your home and doing a poor job. To top it all off, as soon as you send one packing, another one comes along. Now your home has been invaded by strangers who you don’t know and can’t control.

This is the situation organizations are in when they allow third-party code to go unchecked across their websites.

The Role of Third Parties in Your Digital Assets

The number of third parties across consumer facing websites has grown exponentially as businesses increasingly depend on the web to attract prospects, communicate with customers, and facilitate transactions. The role of third-party code has expanded from digital advertising to online chat, ordering and payment platforms, appointment setting, user session tracking, and much more.

All in all, third parties have become a practical necessity for building a streamlined customer experience. However, they are often the first and most effective targets for attackers behind data breaches, violations of data privacy legislation and other costly security incidents. Even the best third-party code brings along 4th, 5th and 6th parties who have unlimited access to your visitors with zero supervision.

The Problem of Ownership

Adding to the confusion, third parties are introduced to a website by many departments throughout the host organization. This creates an ownership and accountability question that Security Officers and teams routinely struggle to answer. Even in enterprises where security and privacy teams work closely with marketing and revenue, the complexity of third-party integration means that internal and external policies are often neglected, leading to major security gaps for the company and its customers.

Without exercising constant vigilance to monitor and control the activity of domains connected to your website, your customers will be exploited and driven away. It is not a matter of “if”: only “when,” and “how often.”

How Third Parties Can Target Your Customers

Malicious actors can compromise your website using many techniques, including cross-site scripting (XSS), collection and exploitation of personally identifiable information (PII), JavaScript injection, buffer overflows and much more. Their end game is usually to target your customers in one of the following ways:

  1. Malicious redirects – send your customer to an unsafe site with scam offers to steal their identity and credit card information or target them with even more unsafe code.
  2. Credit Card Theft – magecart and similar eSkimming attacks via third-party code intercept credit card numbers and other financial information through compromised shopping carts and sales pages. JavaScript wrapping is not a complete solution.
  3. Customer Identity Theft – third-party code rendering on customer account and loyalty pages leaves customer data exposed to companies who collect and then leverage that data to impersonate the customer and utilize their rewards.
  4. Phishing attacks – masquerade as a legitimate website to extract usernames, passwords and other sensitive information from your visitors.
  5. Customer tracking – long-term cookies with an expiration date of 100+ years, browser fingerprinting and other advanced customer tracking techniques allow malicious actors to track your visitors across the web.
  6. Reduced UX – malicious code can interfere with legitimate code and slow the loading time of your website. This leads to shopping cart abandonment and a higher bounce rate.

This is only a small list of the ways that malicious third parties can target and exploit your customers: once they are present on your website, they are only limited by their creativity and skill.

Protecting Your Visitors

Large Internet companies have been working to combat malicious third-party code for many years. In the meantime, there are things businesses can do right now to mitigate the problem. First, they should enforce strict standards on all their digital partners and report bad and unknown actors further upstream to make sure they are removed from the digital ecosystem.

Second, businesses with a web presence can invest more in their own development processes, prioritizing security best practices. They should pressure organizations like the Open Web Application Security Project (OWASP) to expose the most common attacks delivered via malicious third parties and content, along with coding techniques to mitigate them.

Third – and most importantly – any organization with a web presence should continually monitor its online properties for new domains, scan for malicious or unwanted third parties and create processes with internal departments who will take responsibility for that code to maintain rigorous digital vendor management practices.

We live in a world where websites are no longer static, and up to 90% of the code across the web is provided by third parties that are constantly recycled. This leads to a dynamic and ever shifting digital ecosystem that requires constant vigilance, and understanding the danger this represents is the first step towards protection.