Israeli cybersecurity firm Source Defense has analyzed the supply chain risk posed by ghost code on third-party and fourth-party scripts on major corporations’ websites.
They allow developers to improve user interaction, implement social media sharing, tracking and analysis, deliver dynamic content, display news feeds and retrieve data at from third-party sources.
Although external scripts speed up the application development process, attackers could exploit or leverage them for digital skimming, form hijacking, credential harvesting, and redirecting users to websites malicious.
Magecart attacks from client-side scripts have been in the cybersecurity news headlines for the past few years, with incidents on the rise since 2014.
The average number of third-party and fourth-party scripts on websites
After sampling 4,300 websites and applications ranked by traffic, Source Defense found that each website had an average of 12 third-party scripts and three fourth-party scripts.
Thereafter, each page hosted an average of five external scripts, four third-party scripts and a fourth and an average of 12 external scripts on responsive pages.
The report also found that some high-traffic websites had “several dozen” third-party and fourth-party client-side scripts.
Sectors most affected by ghost code from external scripts
The financial sector was the most affected with an average of 16 third-party scripts and six fourth-party scripts per website, followed by healthcare (13.5) and travel (13.4).
E-commerce websites had the fewest third-party (10) and fourth-party (4) scripts per website.
On each page, financial websites had an average of ten third-party (7) and fourth-party (3) scripts, while healthcare had eight third-party (6) and fourth-party (2) scripts.
Travel and eCommerce had five and four third-party scripts and two fourth-party scripts each, respectively.
“Interestingly, even in finance, one of the most threat-aware industries in the world, with unparalleled investments in security technology and personnel, major third-party risks still lurk on critical web properties. “, lamented the researchers.
However, the researchers explained that the financial industry relies heavily on many third-party scripts with third-party code to retrieve customer financial data, news feeds, and security and commodity prices.
Website teams do not monitor ghost code from external scripts
The report suggested that website security teams were not analyzing ghost code from third-party and fourth-party scripts.
“Even when security teams have the tools to monitor script behavior, they must investigate hundreds of incidents per day,” the researchers wrote. “Most of these checks won’t show any issues, but some may involve malicious ghost code that could cause fraud or data breaches.”
Ghost code from third-party scripts poses greater supply chain risk
The company explained that while there were fewer fourth-party scripts, they posed greater risks to website owners.
The high supply chain risk was because threat actors could compromise scripts higher up the supply chain to circumvent third-party security controls.
Additionally, many website owners were unaware that third-party scripts were using third-party code.
Similarly, it was unclear whether third parties or fourth parties were responsible for fixing security issues found on websites.
In addition, many external scripts changed frequently, complicating the process of reviewing each version injected into the browser. Also, some external scripts were very dynamic, injecting different code based on user activity.
According to the researchers, client-side open-source libraries posed not only a data breach risk, but also privacy and data protection issues.
Ghost code on sensitive web pages
The researchers noted that phantom code on static web pages was less risky due to the lack of sensitive information.
However, the researchers found an average of twelve third-party and fourth-party scripts on sensitive information pages such as the login, registration and payment pages.
Researchers found that some of the scripts appeared on every page of websites, including sensitive pages. Similarly, developers used external scripts to perform various client-side functions on pages where users filled in sensitive information.
Additionally, website owners had to perform various tasks such as parsing, tagging, managing, and tracking on these pages.
However, some scripts could access and modify form fields, allowing attackers to collect and exfiltrate sensitive information to their servers or commit fraud.
Researchers found that third-party and fourth-party scripts on responsive pages had code to retrieve form content (49%), button click listeners (49%), and link click listeners (43% ).
Similarly, 23% had code to modify forms, form submission listeners (22%) and input modification listeners (14%).
According to the researchers, every modern and dynamic website they scanned during the study contained such scripts.
Mitigation of Third Party and Fourth Party Ghost Code Supply Chain Risks
The researchers suggested that organizations could mitigate the supply chain risk posed by external scripts by analyzing the need for these scripts.
They advised companies to decide whether they needed external scripts on a case-by-case basis. Likewise, they must carefully decide whether they can reduce the number of external scripts.
Additionally, removing external scripts from pages dealing with sensitive information could mitigate the risk of a supply chain attack.
Investing in security personnel and automated tools to analyze ghost code in external scripts could also reduce the possibility of a supply chain risk.