There’s no doubt that third-party plugins equal a net positive for websites. Plugins maximize the function of websites by adding easy, ready built support for deploying a wide range of features, whether it’s social media integration, embedded maps, commenting features, SEO-boosting tools, or online store capabilities.
Plugins can be thought of as modular building blocks for websites, with literally thousands of options available to carry out virtually every task you can think of without you needing to code these from scratch. In an age in which more people than ever rely on straightforward website building tools like WordPress, plugins allow you to incorporate expert, pro-level features without having to be a website building pro. Even if you do have coding experience, plugins are frequently a better option than writing in-house code.
But third-party plugins also carry risk. Think of it like giving out keys to your home. Doing so might allow certain tasks—cleaning, gardening, changing light bulbs, feeding your cat—to be done without you having to expressly do them yourself. But it also adds a point of possible vulnerability, should those keys get into the wrong hands.
Unless, in the case of third-party plugins, you have a Web Application Firewall (WAF) at your disposal, that is.
When Magecart attacks
Today, the average website boasts content from dozens of third-party JavaScript plugins. As noted, these greatly open up new functionality, but also create opportunities for potential vulnerabilities to be exploited in different types of cyberattack.
Increasingly, one of the biggest threats websites face in terms of the exploitation of plugins comes from Magecart. Magecart is a syndicate or consortium of dozens of hacker groups who carry out cyberattacks on online shopping cart systems, most frequently on the Magento system. These supply chain attacks can be used to steal customer payment information. Supply chain attacks are named as such because they target the third-party vendors who supply code that websites use. Because these third-party vendors may be integrated as part of many thousands of websites, a successful hack opens up a vulnerability that can be exploited elsewhere for maximum gain — and maximum pain on the part of victims.
One popular Magecart attack is referred to as form jacking. Form jacking is the equivalent of a person looking over your shoulder when you fill out a payment form online. It involves the use of a malicious JavaScript code that collects information such as payment card numbers, phone numbers, and home and business addresses when the user hits “submit” on a payment form, and then sends this personal data to a server belonging to the attacker. Such information may be used for payment fraud by the attacker, some other manner of identity theft, or even sold on the dark web.
Cross-site scripting attacks represent another risk. In a cross-site scripting attack—sometimes abbreviated to XSS—the attacker circumvents the Same Origin Policy (SOP), a web application security feature that stops one webpage from accessing data from another unless they are both part of the same website. By getting around this defense, cyberattackers can insert their own code onto a target site to carry out various malicious applications, such as hijacking a user’s session to gain access to their account. This, in turn, could let them steal sensitive information or carry out vandalism.
One of the advantages (to hackers, at least) of a supply chain attack is that the direct victim may not be aware of what is happening. A direct attack for financial gain, such as a Ransomware attack, doesn’t hide in the shadows when it comes to telling the target that they have been hacked.
But in the case of a JavaScript skimmer on a checkout page, where the victim is simply using a third-party plugin, they may not know that the script they rely on has been altered at all. This means that malicious code could stay there for a long period of time.
Alongside Magento, major companies such as Ticketmaster, Amazon Web Services (AWS), and British Airways have been hit by Magecart attacks. The damaging results have often been extremely costly.
Targets are not helpless
But potential targets are not helpless. A Web Application Firewall (WAF) can help by spotting potential attacks in progress and blocking them. One of the most impressive features of a good WAF is what is known as virtual patching. A big problem with third-party plugin vulnerabilities is that they require the creator of the plugin to patch them once discovered, and then for the user of the plugin to make sure they are upgraded to the latest version in order to be suitably protected against the vulnerability.
However, with virtual patching there is an added layer of security which shields the potential target from attacks that seek to exploit certain vulnerabilities. Virtual patches are, in essence, a series of rules that mitigate risk of exploitation in plugins. While they do not change the fundamental code, they can respond significantly faster to vulnerabilities as they arise, compared to waiting for an official patch to be shipped. The process is also vastly scalable, and does not contain any of the risks that can come with manual software patches—such as conflicts with other code.
The security risks associated with third-party plugins aren’t going away. By making the process of creating highly functioning, versatiles websites much easier, these plugins present more good than bad. But the bad can, when exploited by bad actors, be devastating.
Fortunately, with the right tools those vulnerabilities can be plugged so you need not have to worry about them.
Leave a Reply