Third-Party Extensions: The Hidden Security Risk
Third parties are a well-known risk for any company’s cybersecurity posture (just ask Target or dozens of other large enterprise that suffered a data breach due to an outside vendor or consultant security mistake). But we tend to think of third parties as a totally separate corporate entity. That leaves us open to another third-party breach, this one through third-party extensions. For example, the Ticketmaster breach, along with hundreds of other e-commerce sites, was due to a vulnerability found in third-party website components that resulted in digital card skimming.
The Silent Risk
Third-party website extension tools make up a very specific universe of vendors and tools integrated directly into a corporate website, meant to enhance user experience, drive critical analytics and aid in monetization of the site. Because these tools are integrated directly into the website, and because the website is the frontline for communication with the customer and visitor, these tools sit in a place where sensitive customer and payment data flows routinely, cybersecurity expert Ross Hogan with Source Defense, explained.
“This means every single one of these third-party website tool vendors and the hackers that exploit them can access any piece of that customer and payment data through the website as the user interacts with it in real time,” Hogan said. “Beyond skimming information, this access allows these external entities to even prompt the site user for further info not required during legitimate usage of the website.”
Here’s where third-party extensions get scary for businesses and consumers alike: Website owners are entirely unable to prevent these third parties from accessing sensitive consumer information, nor would they be able to detect that there was an attempt to access customer data at all. These are trusted websites that all of us visit regularly and trust with our financial and personally identifiable information.
Vulnerabilities to Be Aware Of
Website owners work with dozens of partners to deliver all types of website enhancements, ranging from personalization to analytics to chat options. These website tools are integrated via JavaScript and opening up the site for many different potential attack types, including keylogging, manipulating website forms, injecting pop-ups and redirecting users to external unauthorized sites.
“Once a hacker compromises a comparatively less secure and far less sophisticated third-party vendor, they can inject malicious JavaScript from remote servers that execute on the customer browser,” Hogan explained. “Through this unmanaged connection with external servers and the unlimited, developer-level access it unavoidably provides the third party, the attack is only limited by the attacker’s imagination.”
Unfortunately, many of the security tools and approaches we use, including penetration testing, code review and application security testing, don’t provide the level of visibility necessary into the actions of these third parties. That means there is no way to prevent hackers from exploiting vulnerabilities.
GDPR Compliance Implications
Any data breach is going to have negative implications for a company, but GDPR kicks it up a notch. With third-party website tools, Hogan pointed out, it means websites are unable to control what data can be accessed by the third parties or by hackers. This means being in GDPR compliance is almost impossible.
So what can you do if your website relies on third-party extensions?
“For the most protection, security professionals should use prevention technology that controls the access and permissions of every third-party website tool running on the website,” advised Hogan. “This insulates websites, website owners and customers from the malicious behavior of third-party vendors compromised by hackers.”
Prevention technologies address the core vulnerability in the extension so it no longer persists, Hogan added, meaning it also eliminates the need for many downstream steps in the attack life cycle.
“Without a preventative measure, organizations could monitor any third-party website tools for changes and also the security policies of the partners that supply the website tools,” he said. This strategy, however, can be labor intensive and does not detect all attacks in real time, meaning damage may have been done by the time a hack is detected.
