For several years Reflectiz has been exploring the landscape of third-party apps all over the world-wide-web. We do this as a part of our mission to help organizations protect their online businesses, websites and other digital assets from third-party risks.

From our research, we have collected and analyzed petabytes of data from thousands of websites, referring to almost every external component running and risk factors from all around. In this article we will share the most interesting findings about third-party apps on websites, and shed more light on the escalating cyber-security threats they create.

The average number of third-and-fourth party apps per website

The Blind-Spot of Supply Chain on Websites

To grasp the evolving arena of third-party application security on websites, we’ll begin with some background information. The first step is to understand why companies and organizations use third–and-fourth party apps, i.e. – external vendor code on their digital assets almost by default. The reason is simple: organizations need a faster and cheaper way to scale their business and technology and third-party apps allow them to do so.

Surprisingly and despite their growing role, third-parties on websites still remain a blind-spot from cyber-security perspective. Nevertheless, if you look at the numbers, it’s a completely different story. The figures show a dramatic growth in third-parties use for every online business segment out there. From risk mitigation or even threat detection point of view. This presence of third-party apps does not get the attention it needs to have. The obvious proof of this, is the growing number of supply-chain attacks on websites and escalation of hacking groups like Magecart that exploit third-parties. This is just the tip of the iceberg, especially while considering the potential damages from the overall accountability of an organization. To emphasize how severe the unattended risk is, we will refer to the figures, which will give an idea how big the security and privacy challenges really are.

Online Business as a Target

The amount of effort that online business organizations invest to scale is huge. Competition is becoming more fierce and the digital and IT costs, are getting higher and higher. Most experts see these as the main factors that motivate organizations to use third-party apps on their websites and digital assets. We mention it because it is important to realize the dependency and understand how fragile it is. Breaches like British-Airways , the recent attack on Macy’s and groups like Magecart, are good example of how third-party apps might bring devastating impact on organizations. These are only few parts of a bigger puzzle. Looking at it through the eyes of your brand, your responsibility and liability, demonstrates how big the potential damage. If you think about costs, consider the $230 million fine of British-Airways.

For hackers, third-parties on websites are very appealing. Magecart are not the only threat off course, and recently we’ve seen new kinds of attacks like Pipka and others. Attackers love third-party code because it can be modified remotely and actually keep itself running under the radar. This is the key for sophisticated and somewhat undetectable supply-chain attacks, online credit-card skimming and data theft.

A Quick Glance at the Risk Landscape #1 Fourth-parties – Why it’s risky? Security teams have very limited control over scripts from unfamiliar sources or vendors’ vendors. These scripts can generate modifications on websites without the organization’s consent or approval. This is also why attackers find them an easy target. External domains issues – Why it’s risky? Unverified certifications, non-valid domains and certificates, domain mismatch, expired domains and verification can be the key for sophisticated supply chain attacks, domain-jacking and data theft Visitor tracking by third- and fourth-party apps – Why it’s risky? GDPR, CCPA, privacy violations, regulations. Should we say more?

The figures also emphasize why third-party apps on websites are quickly turning into a major security and privacy challenge for almost every organization today. Online businesses should be more aware of it and security teams can no longer afford to put it on a medium priority. It is time now to realize that hackers are also aware of the inability of WAF and other security perimeters to handle these risks. If you are a security team member or a CISO, you should ask yourself if you are familiar with the entire third-party inventory on your website.

Going Digital

A quick analysis of what has been happening during the last few years shows how organizations become more digitally dependent. The transformation of gravity from offline to online increased the demand for faster, salable and more cost-effective solutions. More vendors and startups have created new technologies and solutions. For online businesses that was a blessing. The transformation from self-developed code to vendor technologies was inevitable. Costs drop, easier integration with other solutions and new technologies, changed the online landscape. It became more efficient and profitable, but at the same time turned digital assets into fragile puzzles. We have already discussed a few of the risks. Now it’s time to tease you with some numbers.

What Your Vendors Really Do On Your Website?

To understand third-party security and privacy risks on websites, we need to refer to the different types of functionalities third-parties provide to websites. Our analysis shows 6 different categories: JavaScript Frameworks, Engagement Apps, Social Network Integrations, Analytics Utilities, Compliance and Security Tools, Advertising Platforms.

In the second part on this topic, which will be published soon, we will discuss the essentials of what every CISO must know: what security and privacy risk third-party code present on websites! We’ll keep the rest on stealth mode for now, but here’s a small hint: keyloggers, GPS and trackers.

* Note: All data collection and analysis were done without a single setup or installation.

To meet us on one of the next conferences we’re attending and getting a free risk analysis for your website, email: tom@reflectiz.com.

We look forward to seeing you!