Third-party JavaScript – more critical than ever

The Syrian Electronic Army made the news several times lately by hacking popular news websites and making them display their propaganda messages. As with many similar hacks lately, the remarkable part was that the website wasn’t compromised directly. Instead a third-party service provider was hacked that the website used: Codero was used to compromise RSA Conference website, and Taboola to compromise Reuters website.

Why was it possible for Codero and Taboola widgets to completely take over the websites using them? That’s because these widgets were added to the webpage as third-party scripts which means that they got the same level of access to the webpage as its own scripts. They could alter text, spy on the user, steal login credentials, trick the user into installing malware and more. Of course, normally they wouldn’t do anything like this (ok, maybe spying) but the websites using these widgets made a bet on these scripts always behaving themselves — and lost.

The article on the Reuters compromise talks about 40 third parties that each Reuters web page trust this way. I found this statement hard to believe so I disabled Adblock Plus and opened a random Reuters article. I then copied the list of scripts from the list of blockable items in Adblock Plus, 134 entries not counting the scripts loaded by third-party frames! No wonder that page takes a while to load. A quick glance at the list immediately identifies most entries as not belonging to Reuters. What I’ve got there:

adnxs.com AdNexus Media ads
cdn.taboola.com, connect.facebook.net, edge.quantserve.com, images.intellitxt.com, js.moatads.com, platform.linkedin.com, s2.reutersmedia.net Akamai Content Delivery Network
nexus.ensighten.com, ping.crowdscience.com, config.parsely.com Amazon AWS Cloud Computing
cdn.teads.tv, static.parsely.com Amazon CloudFront Content Delivery Network
revsci.net Audience Science tracking
bizographics.com Bizo ads
cdn.linksmart.com, widget.perfectmarket.com CDNetworks Content Delivery Network
cdnjs.cloudflare.com cdnjs code hosting
cloudflare.com CloudFlare Content Delivery Network
content.ad Content.ad ads
criteo.com Criteo ads
ensighten.com ensighten tracking
facebook.net Facebook widget
cdn.krxd.net Fastly Content Delivery Network
krxd.net Krux tracking
doubleclick.net, googlesyndication.com Google Adsense ads
google-analytics.com, gstatic.com Google Analytics tracking
google.com Google Loader code hosting
apis.google.com Google Plus widget
googletagmanager.com Google Tag Manager widget
gscontxt.net Grapeshot ads
jquery.com jQuery code hosting
static.crowdscience.com LimeLightNetworks Content Delivery Network
linkedin.com LinkedIn widget
linksmart.com, link-smart.com LinkSmart ads
crwdcntrl.net Lotame tracking
moatads.com Moat Analytics tracking
bluekai.com Oracle BlueKai tracking
pagefair.com PageFair ads
parsely.com Parse.ly tracking
perfectmarket.com PerfectMarket widget
quantserve.com QuantCast tracking
rubiconproject.com Rubicon Project ads
scorecardresearch.com ScorecardResearch tracking
taboola.com Taboola widget
teads.tv Teads ads
twitter.com Twitter widget
platform.twitter.com, tags.crwdcntrl.net, www.bkrtx.com Verizon EdgeCast Content Delivery Network
intellitxt.com Vibrant Media ads
crowdscience.com YuMe ads

Hard to believe but that’s exactly 40 entries (35 if you don’t count various Google and Amazon services separately):

  • 12 ad networks
  • 10 tracking and analytics services
  • 7 widgets (mostly social networks)
  • 7 content delivery networks
  • 3 code hosting services (externally hosted JavaScript libraries)
  • 1 cloud computing platform

And there I was seven years ago thinking that dilbert.com was bad

Note that I might have misclassified one thing or another, particularly the distinction between ad networks and tracking services is often fluent. I also might have overlooked some other content delivery network involved. Why did I even put the content delivery networks on that list but not hosting providers for example? The important difference here is the scope: most high traffic services on the web use one out of a handful content delivery networks. This puts content delivery networks into a position where they can (and do) track users across most websites, a position that is comparable to Google’s. Also, a compromised content delivery network would become a disaster for countless websites, even if these don’t use the content delivery network directly.

Altogether that’s 40 parties that can track each visitor to the Reuters website, 40 parties that this website has to trust and 40 parties that a hacker can choose from to compromise it. Finding one weak link shouldn’t be hard then. So that’s where we are now, six years after my first article on this topic – most websites can be compromised with comparably little effort due to numerous dependencies on external parties. And too often it isn’t merely a nasty message, instead the websites start infecting their visitors with malware.

How do you protect yourself? My favorite solution is naturally Adblock Plus. With the default settings it already blocks half of the scripts on the Reuters website. You can go further by enabling the privacy protection feature on the first-run page (will add EasyPrivacy filter list, can also be done here) – this will leave you with “merely” 46 scripts (around 10 third parties), without any functionality loss whatsoever.

The most radical solution is blocking third-party scripts altogether via *$script,third-party filter as I suggested six years ago. Unfortunately, this is only something for experienced Adblock Plus users who are willing to tweak their filters regularly to make websites work again. The main problem here are content delivery networks that use a different domain name to deliver essential website content. So you would have to regularly add exception rules like @@||reutersmedia.net^$script,domain=reuters.com for these cases.

Comments

  • Al

    I found a great tool for blocking/allowing cross site requests in RequestPolicy. It allows you to either use whitelist or blacklist mode (with whitelist mode breaking many websites) and it does this in an easy to use interface. No need for cryptic rules like in your article!

    https://addons.mozilla.org/de/firefox/addon/requestpolicy/

    There is also beta version 1.0 on RequestPolicy website with improved interface.

  • Nindroid

    It’s really quite unnerving to know the level of access those scripts have to our data. Isn’t anybody like Mozilla worried about this or making moves to prevent this kinds of behaviour?

  • geeknik

    I thought Mozilla was going to start blocking 3rd party cookies by default last year, but it looks like someone or something changed their minds: http://blog.sfgate.com/techchron/2013/11/06/firefox-cookie-blocking-effort-delayed-again-as-mozilla-commitment-wavers/

    I use Firefox Nighty w/ AdBlock Plus and I have 3rd party cookies disabled unless I’ve visited the site before. Knocks out quite a few of those tracking cookies.

    Wladimir Palant

    Disallowing cookies doesn’t completely disable tracking, and it certainly doesn’t mitigate any of these security risks unfortunately.

  • Šime Vidas

    Isn’t there a Web Platform tech that helps with security when loading third party script onto webpages?

    Wladimir Palant

    As far as I know, you can only sandbox frames but not scripts. Any mechanism restricting what third-party scripts can do would be big news to me. Content Security Policies don’t really help here either.