A recent study conducted by Source Defense analyzed the risks related to using third- and fourth-party codes on online sites. They found that all modern, active websites had code that can be targeted by attackers to obtain access to sensitive information.
SOurce Defense explained that sites usually possess their own third-party supply chains, with those third parties offering a variety of services and functions associated with site performance, tracking and analytics, and enhancing conversion rates to produce more income.
Having third- and fourth-party code on websites also introduces security and compliance challenges. On the compliance part, tracking code has the possibility to violate data privacy legislation like the EU’s General Data Protection Regulation (GDPR) and from a security viewpoint, the code employed on websites may have vulnerabilities that may be exploited by threat actors to acquire access to sensitive data, including protected health information (PHI).
To discover the risks related to third- and fourth-party code, Source Defense looked up the top 4,300 sites according to traffic and examined their results to know the scale of the digital supply chain, the number of partners involved on a regular website, whether the use of code by those partners leaves sites exposed to cyberattacks, whether sensitive information is being exposed, and the types of attacks that may be performed on web pages that take advantage of the digital supply chain.
The findings of the review are discussed in the report, Third-Party Digital Supply Chain Risk: Exposing the Shadow Code on Your Web Properties. Source Defense revealed that there is little point in a threat actor compromising a script on a static website; nevertheless, if scripts were added to webpages that gather sensitive data, hackers can put malicious code to steal sensitive information. The researchers learned that normally web pages that gathered data
had 12 third-party and 3 fourth-party scripts per website, for instance, login pages, account registration pages, and payment collection pages.
They determined six features on web pages that may be exploited by attackers that were generally seen on websites:
- button click listeners (49%)
- Code to collect form input (49%)
- link click listeners (43%)
- code to alter forms (23%)
- form submit listeners (22%)
- input modify listeners (14%)
Every contemporary, dynamic website evaluated for the study was discovered to consist of one or more of those attributes.
An evaluation was done on 40 to 50 websites in industrial sectors where there exists a higher-than-average risk. The researchers discovered that higher-risk sectors for instance healthcare had greater than the average number of scripts. Healthcare sites had typically 5 fourth-party and 13 third-party scripts on sensitive webpages.
There might be a valid basis for using these scripts on the pages however including that code brings risk. For instance, a script could permit form fields to be altered or added to provide website end users with a more customized experience. Nonetheless, a threat actor can exploit this functionality to include extra fields asking for credentials and personal data, which would subsequently be sent to the attacker’s online site.
The researchers explained that this information shows that handling risk built-in third- and fourth-party scripts is essential and very difficult. They suggest evaluating websites for third-party code, instructing the management regarding the dangers, employing a website client-side security program, categorizing and consolidating scripts, and searching for ways to take away exposure and compliance risks.