Today’s columnist, Hadar Blutrich of Source Defense, writes that third-party Java-Script often gets overlooked in discussions about major supply chain attacks such as SolarWinds. ("SolarWinds letters" by sfoskett is licensed under CC BY-NC-SA 2.0))

Supply chain security has become an important topic in our industry based on the impact of high-profile breaches like Kaseya and SolarWinds. When SolarWinds was hacked in 2020, it drove home the issue of third-party risk given its impact on major governmental departments and countless companies in the private sector such as Microsoft and Cisco. Kaseya added fuel to that fire, with the FBI describing the Kaseya attack as a supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers.

Even before these incidents, the InfoSec community was placing scrutiny and focus on the risks introduced by third-party software. Is it safe to work with the partners in the supply chain? How can organizations protect their business processes, trade secrets, and the client data they manage from potential supply chain security threats?

There’s an element of third-party supply chain risk that’s often overlooked, and it’s one that has a more immediate and clearly quantifiable impact on a potential victim organization’s bottom line. We’re talking about the dynamics of website security and the risk that third-party JavaScript plays in everything from credit card theft to widespread fraud and potentially massive regulatory fines.

Client-side attacks: third-party digital supply chain risk

The vast majority of websites operating in the world have vulnerable supply chains. Organizations likely have a dozen or more third-party partners helping power their website experience. These partners are loading JavaScript on the client-side that’s often used as a vector of attack.

When these partners load JavaScript on the client-side, they introduce security issues that are outside of all of the server-side protections security teams have put in place. Because the primary focus in website security (up until this point) has been on the server-side, the client-side has become an area of exposure in supply chains – widely unaddressed and too often overlooked.

Already this year there have been numerous headlines detailing major client-side attacks – thousands of websites were recently impacted, and millions of consumers were exposed. Segway stands as one example: its e-commerce store was infiltrated by a Magecart attacker that stole credit card data and customer information. So, how does this keep happening to major corporations that would surely have top-tier security measures in place?

The answer: most organizations don’t understand the scope and materiality of the risk they face.

Understanding client-side attacks

JavaScript enables most of the functions organizations rely on, and that their users take for granted, on the company’s website, like interactive behavior, filling out web forms, and executing credit card transactions.

At the same time, JavaScript has become attractive to attackers because of its role in passing data between users – particularly personal and financial data. This opens up tremendous risk for a breach and the ensuing response costs of clean up. It also opens up the risk to major secondary costs in the form of fines and judgments. As data privacy laws become more common, organizations could be held liable if consumer data gets stolen because of vulnerable JavaScript on their website.

In these cases, the logic gets loaded and runs on the client-side (in the browser), beyond the protection of server-side security. Third-party scripts have the identical level of control as the website owner’s own internal script. Every script on the page, no matter its origin, has access and authorship capability, meaning they can change the webpage, access all information on it, and can even record keystrokes and save them.

All it takes is for a threat actor to hack a third-party and change the source code. That code is dynamically downloaded from a remote server, which means that it bypasses the traditional server-side security infrastructure, including the website owner’s firewalls and WAFs.

The damage third-party JavaScript attacks can cause to supply chains

The threat of JavaScript-based attacks exists for any organization collecting sensitive data or conducting transactions through their web properties. These attacks include:

  • Clickjacking;
  • Digital skimming;
  • Formjacking;
  • Defacement;
  • Magecart;
  • Credential harvesting.

These client-side attacks have damaged some of the biggest brands in the world. In 2020, British Airways was required by the ICO to pay $26 million for a data breach that affected more than 400,000 customers. The data stolen included: login information; payment card details; travel booking details; and name and address information.

Software supply chain security has become a top concern for organizations of all sizes and industries. And this needs to extend beyond what companies might currently focus on to include prioritizing the digital supply chain on their website. Organizations can’t afford to ignore client-side cybersecurity concerns if they want to avoid compliance issues and major security breaches that could negatively impact their reputation.

Hadar Blutrich, CTO, Source Defense