Neon computer keyboard with color backlight showing shadow code and supply chain risk

Study Warns That Shadow Code on External JavaScript Libraries Pose a Serious Supply Chain Risk

Israeli cybersecurity firm Source Defense analyzed the supply chain risk posed by shadow code on third- and fourth-party scripts on major businesses’ websites.

Third-party scripts and open source JavaScript libraries assist development teams in adding advanced functionality to web applications without writing or maintaining code.

They allow developers to improve user interaction, implement social media sharing, tracking and analytics, deliver dynamic content, display news feeds, and retrieve data from third-party sources.

Although external scripts speed up the application development process, attackers could exploit or leverage them for digital skimming, form jacking, credential harvesting, and redirecting users to malicious websites.

Magecart attacks originating from client-side scripts have grabbed major cyber security news headlines in the past few years, with incidents rising sharply since 2014.

The average number of third- and fourth-party scripts on websites

After sampling 4,300 websites and applications ranked by traffic, Source Defense discovered that each website had an average of 12 third-party scripts and three fourth-party scripts.

Subsequently, each page hosted an average of five external scripts, four third- and one fourth-party scripts, and an average of 12 external scripts on sensitive pages.

The report also found that some high-traffic websites had “several dozens” of third-party and fourth-party client-side scripts.

Industries worst affected by shadow code from external scripts

The financial sector was the worst affected with an average of 16 third-party and six fourth-party scripts per website, followed by healthcare (13, 5) and travel (13, 4).

Ecommerce websites had the least number of third-party (10) and fourth-party scripts (4) per website.

On each page, financial websites had an average of ten third-party (7) and fourth-party (3) scripts, while healthcare had eight third-party (6) and fourth-party (2) scripts.

Travel and ecommerce had five and four third-party scripts, respectively, and two fourth-party scripts each.

“It is interesting to note that even in finance, one of the world’s most threat-aware industries, with unrivaled investment in security technology and staffing, major third-party risks still lurk on mission-critical web properties,” the researchers lamented.

However, researchers explained that the financial industry heavily relied on many third-party scripts with fourth-party code to fetch clients’ financial data, news feeds, and securities and commodity prices.

Website teams do not monitor shadow code from external scripts

The report suggested that website security teams were not analyzing shadow code from third- and fourth-party scripts.

“Even when security teams have the tools to monitor the behavior of scripts, they need to investigate hundreds of incidents per day,” researchers wrote. “Most of these checks will show no issues, but some are likely to involve malicious shadow code with the potential to cause fraud or data breaches.”

Shadow code from fourth-party scripts poses a greater supply chain risk

The firm explained that while fourth-party scripts were fewer, they posed greater risks to website owners.

The elevated supply chain risk was because threat actors could compromise scripts higher up the supply chain to circumvent third parties’ security controls.

Additionally, many website owners were unaware that third-party scripts used code from fourth parties.

Similarly, it was difficult to determine whether third-parties or fourth-parties were responsible for fixing security problems detected on websites.

Additionally, many external scripts changed frequently, thus complicating the process of reviewing every version injected into the browser. Also, some external scripts were highly dynamic, injecting different code based on user activity.

According to the researchers, client-side open-source libraries not only posed a data breach risk but also privacy and data protection compliance challenges.

Shadow code on sensitive web pages

The researchers noted that shadow code on static web pages posed lower risks because of the lack of sensitive information.

However, the researchers found an average of twelve third- and fourth-party scripts on sensitive information pages such as login, registration, and payment pages.

The researchers found that some of the scripts appeared on every page of the websites, including sensitive pages. Similarly, developers utilized external scripts to accomplish various client-side functions on pages where users filled in sensitive information.

According to the researchers, developers used external JavaScript code on sensitive pages to deliver dynamic content and improve performance.

Additionally, website owners needed to accomplish various tasks such as analytics, tagging, management, and tracking on those pages.

However, some scripts could access and change form fields, allowing attackers to collect and exfiltrate sensitive information to their servers or commit fraud.

The researchers found that third- and fourth-party scripts on sensitive pages had code to retrieve form contents (49%), button click listeners (49%), and link click listeners (43%).

Similarly, 23% had code to modify forms, form submit listeners (22%), and input change listeners (14%).

According to the researchers, every dynamic modern website they scanned during the study had such scripts.

Mitigating supply chain risks from third- and fourth-party shadow code

The researchers suggested that organizations could mitigate the supply chain risk posed by external scripts by analyzing the necessity of such scripts.

They advised businesses to decide whether they needed external scripts on a case-by-case basis. Similarly, they should carefully decide whether they could reduce the number of external scripts.

Additionally, removing external scripts from pages handling sensitive information could mitigate the risk of a supply chain attack.

Investing in security staff and automated tools to analyze shadow code in external scripts could also reduce the possibility of a supply chain risk.