Rogue Javascript Integrations Risk Attacks


According to research by Tala Security, methods such as Magecart attacks and formjacking are exploiting vulnerable JavaScript integrations running on 99 per cent of the world’s top websites. At the same time, security effectiveness against JavaScript vulnerabilities is on the decline.

According to the research, the average website includes content from 32 third-party JavaScript vendors. 58 per cent of the content shown on customer browsers is provided by third-party JavaScript integrations.

“The fundamental issue with the way today’s websites are secured is that user data is greatly exposed to third-party applications and services and that data leakage is occurring even from trusted third-party resources,” said Aanand Krishnan, founder and CEO of Tala Security. “It’s imperative that organizations keep security top of mind and pay much closer attention to what has become a pervasive attack vector.”

While 30 per cent of the websites analysed had security policies in place, only 1.1 per cent were found to have security in place that was effective.

Jonathan Knudsen, the senior security strategist at Synopsys, said that research by the company showed the average commercial application has well over 400 third-party open-source components.

He explained “While the research conducted by Tala Security might identify 32 independent vendors, when looking at any software supply chain, it’s important to look not only at the known vendors but also at the usage of open-source software in the final product or service. After all, it’s impossible to patch something you don’t know is there.”

He also claimed it is “hardly surprising that the research found that the average website has content from 32 third-party vendors” as modern software is more assembled than it is written, with useful chunks of functionality often coming from open-source, third-party software components and interactions happening via APIs with multiple other systems.

“There is nothing inherently wrong with using third-party software components, the JavaScript language, or the web ecosystem,” he argued. “Just as with anything else, risk must be managed and minimized during the construction and deployment of websites.”

Keith Geraghty, solutions architect at Edgescan, believes that JavaScript isn’t the issue, as it has “revolutionized the user experience on the web.

“When we refer to vendors, we are usually referring to talented programmers who have developed tools and solutions that, along with HTML and CSS, make up the backbone of the web,” he said. “Like with all plugins and solutions, organizations need to ensure that what they use is safe, up-to-date and falling under the same controls as their traditional patch management strategy.”

Craig Young, the senior security researcher at Tripwire, said: “The situation with loading so many JavaScript libraries from so many different domains greatly amplifies the risk subdomain hijacking attacks pose to the internet at large. The problem is that each third-party domain supplying unauthenticated JavaScript presents an opportunity for a server compromise to serve malicious content to unsuspecting users unless the site operator has taken specific security precautions.”