To gain a better understanding of the impact and risks of third-party code, the CQ Prime Threat Research team analyzed 60+ alerts from our news monitoring bots looking for Magecart in January 2020, and the results are surprising.
Magecart is Prevalent
Too Many Secrets
Many popular websites will use third-party code to support Ad Networks, Ad Trackers, Styles, and methods of moving data. Image 1 below highlights the impact on a web site that has Facebook as a third-party dependency. The Facebook dependency is the blue circle in the middle of the image that is connecting to many external script resources and is being called by many other organizations. Its popularity illustrates how interconnected dependencies can be and why Magecart is so prolific and hard to reign in, since attacking the Facebook dependency in this example could/would expand quickly to many targets.
Image 1: Adding a third-party integration like Facebook dramatically increases the complexity of managing the interrelated dependencies and associated risk.
Image 2: An example of third-party integration code – an easy target for Magecart attackers.
This BASE64 encoded string simply opens a connection to post data back to the server “’open’,’POST’,’setRequestHeader’,’Content-Type’,’application/x-www-form-urlencoded’”
Too Slow to Execute
An often-overlooked impact of the increased number of third-party code snippets executing on a website is their impact on the page load speed. Some of this code is used to build the page dynamically, for analytics purposes, to provide user experience feedback, or to protect the site from automated attacks.
Using Google’s PageSpeed Insights to analyze commonly used web sites, demonstrates where the greatest page load impact was. In cases where the page had a third-party code performing obfuscation or just doing of-page calculation, the page loads were dramatically increased. Performance tuning for these sites would need to include removing some of these components as they are just getting in the way, causing user friction from load times and offering yet another third-party set of code being utilized.
Image 3: The impact on user experience when third-party code executes at page load.
Adding third-party code can be a great way to create interactivity with your end users and create a positive user experience. However, you should place it in-line on your site only with an extreme amount of care and caution. Not knowing what that code does, how it executes, or its impact on the browser, can introduce risk.
As we begin to see more and more attacks happening on this layer, we need to realize that having a good inventory of our third-party resources and having policies to track when they change is important. Otherwise attacks on this vector, such as credit card skimming, might go unnoticed. If your application has so many dependencies that you cannot effectively understand if one changes, you should look into having a better inventory of your dependencies and how they impact user security as well as user experience.