Massive shadow code risk for world’s largest businesses

Source Defense announced the results of a study that for the first time sizes the security, privacy, and compliance risks that are literally designed into the digital supply chains of major business websites.

This risk, originating from highly dynamic and unpredictable scripts and code from third parties and beyond, permeates every aspect of a business’s web presence. On the whole, this report sheds light on a woefully underestimated risk that most famously resulted in the theft of financial and personal information for more than 400,000 British Airways passengers in 2018, and resulted in the largest fines ever from the British Information Commissioner’s Office (ICO).

Organizations collecting sensitive information, enabling business transactions or conducting commerce through their web properties, are under a constant risk of attack. The pace of adversarial activity is only increasing as retail and e-commerce companies enjoy exponential growth, as travel and lodging needs increase post-pandemic, and as healthcare and financial services transactions move more critical and sensitive functions online.

The top line report findings discovered an average of 15 externally generated scripts on each site, with an average of 12 scripts specifically on sensitive pages. Financial services was the most exposed vertical, with nearly 60% more scripts on average resident on sensitive pages, and double the number per page overall, with triple the amount of fourth-party scripts.

Risks lurking within digital supply chains

The data comes from an analysis of 4,300 of the world’s largest websites across the most prevalent verticals during the first quarter of 2022 to identify both security and compliance issues lurking within the website digital supply chain. The company mapped the concerning sprawl of third- and fourth-party scripts across each website, on individual pages – including sensitive pages that come in contact with PII, financial data, etc. – and the usage and variance across the most prevalent verticals.

“While retail and credit card breaches grab the most headlines, this is a pervasive and relatively unchecked risk to both security and privacy across all verticals,” said Dan Dinnar, CEO of Source Defense.

“It’s also a fast-growing and extremely volatile issue with regard to sensitive data. Organizations and their digital supply chain partners are constantly updating sites and code, and the data of greatest value to malicious actors is collected on the pages where the business has the greatest need for analytics, tag management, and other tracking and management capabilities.”

Extensive libraries of third-party scripts are available free, or at low cost, from a range of communities, organizations, and even individuals, and are extremely popular as they allow development teams to quickly add advanced functionality to applications without the burden of creating and maintaining them. These packages also often contain code from additional parties further removed from – and farther out of the purview of – the deploying organization.

Making matters worse, they operate remotely from a server belonging to the third party, to provide everything from social media connections to marketing tracking/analytics. If a script has been compromised, the shadow code comes with it and goes straight to the browser without organizational defenses able to detect it. From there, scripts can exfiltrate data to remote servers, redirect users to malicious websites, or lay the groundwork for formjacking, digital skimming, and credential harvesting attacks.

Additional risks found

• 49% of all sites had external code present with the ability to retrieve form input and “listen” to user button clicks, and more than one in five sites had external code with the ability to modify forms.
• On average, one in four of all scripts represented fourth-party code, as did every one in five scripts on individual pages.
• Per page, analysis found an average of five scripts, with at least one a fourth-party script. The number was much larger on sensitive pages, at an average of 12 external scripts in contact with everything from credentials to account and financial details.
• The two most exposed verticals were financial services and healthcare, with an average of 16 and 13 third-party scripts, and 6 and 5 fourth-party scripts, respectively. And on sensitive pages, analysis found an average of 19 scripts in financial services and 14 scripts in healthcare.