导航第三方 JavaScript 集成风险_AI阅读总结 — 包阅AI

Earlier this year, research from digital reference library DataReportal found that internet users between the ages of 16 and 64 spend an average of 6 hours and 40 minutes consuming the internet. A new generation of online destinations is serving more engaging and interactive experiences than the static sites of yesteryear, which means they can hold a consumer’s attention for extended periods.

According to research from PixelCrayons, 74% of businesses consider choosing the proper framework crucial for success in the digital age. JavaScript is one of the critical pillars of the internet. After more than two decades, JavaScript remains as relevant and impactful as ever.

Thanks to JavaScript, these businesses can easily and quickly integrate third-party services and transform their online businesses. For an online merchant, this means adding shopping carts, chatbots, payment gateways, and product filtering analytics tracking, none of which require writing any code.

However, this innovation introduces new risks. First, it requires companies to add third-party scripts to their websites. Next, businesses involuntarily allow those third-party scripts to have unmonitored and uncontrolled access to forms and data anywhere on the page. And that’s not all. They can also be easily viewed and manipulated, which creates vulnerabilities that malicious actors can easily exploit to access sensitive information (PII, payment card data, etc.) and valuable company content.

Here Are Some of the Ways That Cybercriminals Can Access This Data

Digital Skimming, Formjacking, and Magecart Attacks

These attacks pose significant threats to websites employing both first- and third-party JavaScript. In each case, the cybercriminal injects unauthorized JavaScript code to steal sensitive information from website forms, such as credit card details. The unauthorized scripts are sophisticated, mimicking legitimate functionalities and skillfully evading detection.

In the case of Magecart attacks, these target e-commerce platforms by injecting skimming scripts onto payment pages. These scripts exploit prevalent third-party integrations often found on e-commerce websites. When third-party services are utilized, the attack surface expands dramatically, heightening the risk. Magecart attacks raise substantial concerns as they can operate stealthily for prolonged periods, which gives attackers a significant amount of time to steal data before they are detected and shut down.

One high-profile example of a Magecart attack happened in 2018 with Ticketmaster. In this instance, attackers gained access to systems through a third-party customer support product and then inserted malicious code on Ticketmaster’s website payment pages. From there, attackers gained access to customer credit cards. Overall, 40,000 customers were impacted.

Web Supply Chain Attacks

Web Supply Chain Attacks are sophisticated cyberthreats in which criminals compromise third-party tags by injecting or manipulating malicious code within the solution provider’s JavaScript code. A recent example is the polyfill.io incident, which impacted anywhere from 110,000 to several million websites.

In a typical scenario, once the compromised elements are loaded onto a website or application, the malicious code executes within the user’s browser, posing various security threats such as data breaches, unauthorized access to sensitive information, or hijacking user sessions.

These attacks exploit the complex web of services and dependencies that modern websites rely on. A breach in a single third-party service can grant an attacker access to multiple websites or applications connected to that service. As these attacks leverage trusted third-party website add-ons, they often evade traditional security measures and prove challenging to detect.

Pixel Data Exfiltration

Advertising and social media tags, also known as pixels, can cause harm if misconfigured or if they capture data in unauthorized areas of a business’s website. These tags are meant to help enterprises to better target customers by collecting data on user interests so advertisers or social networks can target each user with relevant ads. However, if left unchecked, they can potentially gather confidential information, posing risks to your business and customers.

PII Harvesting

PII (Personally Identifiable Information) harvesting via JavaScript occurs when malicious actors exploit vulnerabilities in JavaScript code to extract sensitive user information from websites. These attacks often target forms, user inputs, or cookies manipulated with JavaScript injections. By infiltrating the client-side code, hackers can siphon data such as names, addresses, email IDs, credit card details, and other personal information users enter. This illicit collection of PII poses a severe threat to user privacy and can lead to identity theft, financial fraud, and other malicious activities.

Lessons Learned From the Payment Card Industry

When taking action, a great place to begin is with the Payment Card Industry Security Standards Council (PCI SSC). Created more than 20 years ago by American Express, Discover Financial Services, JCB International, Mastercard, and Visa, PCI SSC has dedicated itself to adopting data security standards and resources that will help secure payments worldwide.

PCI DSS v4, which became the only active version of the standard in March 2024, focuses on cardholder data and ensuring that it is handled, stored, and transmitted securely when transactions occur. It also features new rules for managing JavaScript on payment pages to prevent skimming attacks.

Going the Distance With Client-Side Protection

While the PCI standard is a great starting point, it alone is insufficient. The same can be said about available technology options, such as Content Security Policy (CSP) and Sub-Resource Integrity (SRI). CSP and SRI are valuable, but more is needed, especially when monitoring first- and third-party JavaScript.

• CSP lacks control over executed code in the browser and requires extensive manual configuration and maintenance.
• SRI doesn’t monitor or protect against runtime behavior changes or attacks that originate from trusted third parties.

These shortcomings fuel the need for client-side protection and compliance solutions to facilitate the implementation of standardized, state-of-the-art code obfuscation for all internally developed JavaScript throughout the product life cycle, from development to runtime.

Client-side protection and compliance solutions also address another critical need of businesses using first — and third-party JavaScript. To avoid security breaches, teams need control over all third-party tags’ JavaScript behavior. This control must span the entire business and include control over data consumption by third-party tags. They must also be able to rapidly cover all website pages and identify all third-party tags without impacting the website’s performance. Client-side protection and compliance solutions deliver on both fronts.

The explosion of digital innovation enabled by JavaScript opens many doors for businesses. However, they must also evolve their security measures to transform their websites. By adopting client-side solutions, these businesses can freely innovate while protecting revenue and reputation and achieving regulatory compliance.