Risks Associated with Third Party Scripts

Most websites today have integrated third-party scripts from a variety of vendors not always understanding the full implications or risks they’re undertaking by doing so. Often times, these scripts, loaded from vendor servers such as ad servers, analytics, or marketing, come laden with malware and lack the level of security needed to protect visitors to the site. This lower-level security can result in the third party being hacked as we’ll discuss more in depth. While it’s practically impossible to avoid using third party vendors, it’s vital that companies are aware of the risks associated with them.

With such risks involved with third party scripts, one may question the use of them at all. However, it’s becoming less possible to create a fully functioning site and to keep up with industry changes and standards without the use of these services. Often, they’re found in the unassuming form of web widgets. Examples of widgets that you most likely see every day include banners, traffic counters, search boxes, games, videos, RSS feeds, polls, and social buttons. The issue is that often times, these widgets are hosted by third parties in the form of javascript and images supplied by the vendor.

The problem starts with third party security, or rather, the lack of it. Third party code is only activated on a visitor’s web browser, thereby bypassing the main site’s web server and more to the point, their security measures. In other words, the website operator may never know if the remote host is compromised or that the third party script they’ve embedded has been manipulated to distribute malware or that their users accounts have been accessed. This malware or unauthorized access can then be spread to millions of siteaffect millions of visitors with no warning.

What risk is associated with third party javascript, say from a popular analytics package such as Google Analytics, from a publisher’s perspective? While Google Analytics offers thorough insight into a website’s visitors such as when they visit your site, where they click, and how long did they stay, it also stores information about the user’s computer system and sensitive information that could wreak havoc if the wrong party were to gain access to such data. This is, unfortunately, happening due to publishers giving their login to Google Analytics to third party javascript embeds under the guise of being data management providers or programmatic ad techs. This decision can lead to massive data leakage problems and further security risks.

Once a third party javascript tracker has gained access to your users, they can collect highly sensitive data such as keystrokes. More importantly, tracking a user’s keystrokes leads to tracking their login and password information. Or alternatively, javascript can implement a technique known as “clickjacking” where elements are rewritten so that when a user clicks on what they believe to be a safe button, the user is actually redirected to another page or, at times, they’re actually inadvertently approving the download of malware.

Other possible risks associated with third party javascript include:

  • Performing CSRF, or posting on behalf of a user or resetting their passwords.
  • Creating site deformation by adding external, unapproved content to a site
  • Redirecting users to a web page with fake or inappropriate content.
  • Opening up DOM-based XSS vulnerabilities.
  • Ripping off user’s cookies and gaining access to their accounts.
  • Forcing a user’s web browser to attack other computers on the internet.

What can publishers do to improve third party security? First, limit the number of third party embeds on their site to only those that are trusted and well-know n. Next, if possible, eliminate all third party javascript trackers embedded on the site. If it’s not possible to completely eliminate, again limit them as much as possible to only those that are trusted and from reputable companies .

Ultimately, the best solution is to have a procedure in place to vet the third party security and trustworthiness of any widget a publisher is considering installing. Companies can utilize an engine that’s loaded into the visitor browser allowing it to react in real time to each action the script is taking. An engine of this kind can implement the following third party security features:

  • Prevent vendors from placing their cookies on users and tracking them on other sites.
  • Prevent vendors from recording the user’s keystrokes.
  • Prevent vendors from changing areas of the site by overwriting data and controlling content.
  • Prevent vendors from reading sensitive information such as user logins and passwords.
  • Prevent vendors from capturing clicks on the site and overriding the actual destination of a click.

Implementing a solution such as this will allow the engine to control the actions of third party scripts on a site while still reaping the benefits of utilizing web widgets.

Hadar Blutrich
CEO Source Defense