A new study performed by Source Defense looked at the risks linked to the usage of third- and fourth-party code on web pages. They found that all contemporary, dynamic websites contained code that may be attacked by hackers to get access to sensitive records.
SOurce Defense mentioned that web pages normally got their own third-party supply chains, with those third parties giving a selection of services and functions linked to site performance, monitoring and analytics, and bettering conversion rates to create more revenue.
Adding third- and fourth-party code on websites also brings in security and compliance problems. On the compliance aspect, tracking code has the probability to violate data privacy rules like the EU’s General Data Protection Regulation (GDPR), and coming from a security standpoint, the code used on websites may have vulnerabilities that may be taken advantage of by threat actors to obtain access to sensitive data, which include protected health information (PHI).
To find the risks connected with third- and fourth-party code, Source Defense searched the top 4,300 internet sites depending on traffic and reviewed their results to determine the level of the digital supply chain, how many partners are engaged on a usual website, whether the usage of code by those partners makes sites prone to cyberattacks, whether sensitive information is being compromised, and the types of attacks that can be executed on web pages that exploit the digital supply chain.
The results of the study are explained in the report, Third-Party Digital Supply Chain Risk: Exposing the Shadow Code on Your Web Properties. Source Defense mentioned that there will be little point in a threat actor exposing a script on a static page; nonetheless, if scripts were used on webpages that accumulate sensitive data, hackers may include malicious code to steal sensitive files. The researchers discovered that typically web sites that collected data contain 12 third-party and 3 fourth-party scripts for each website, including login pages, account sign-up pages, and payment pages.
They discovered six features on web pages that can be exploited by attackers that were typically identified on websites:
- input change listeners (14%)
- form submit listeners (22%)
- code to change forms (23%)
- link click listeners (43%)
- button click listeners (49%)
- Code to retrieve form input (49%)
All modern, dynamic website examined for the research was identified to have at least one of those characteristics.
A study was performed on 40 – 50 websites in industrial sectors where there may be a higher-than-average threat. The researchers observed that higher-risk sectors for instance medical care had above the average number of scripts. Medical care sites had about five fourth-party and 13 third-party scripts on sensitive sites.
There might be a legit cause for adding these scripts on the web pages nevertheless putting that code presents a risk. As an example, a script could let form fields be modified or included to give website customers a more individualized experience. Nevertheless, a threat actor may exploit this ability to put more fields requesting credentials and personal details, which would afterward be given to the attacker’s web page.
The researchers revealed that this information demonstrates that dealing with risk natural in third- and fourth-party scripts is equally a very important and a very tough undertaking. They advise examining websites for third-party code, teaching the management concerning the challenges, using a website client-side security tool, classifying and consolidating scripts, and looking for ways to remove exposure and compliance problems.