The Syrian Electronic Army made the news several times lately by hacking popular news websites and making them display their propaganda messages. As with many similar hacks lately, the remarkable part was that the website wasn’t compromised directly. Instead a third-party service provider was hacked that the website used: Codero was used to compromise RSA Conference website, and Taboola to compromise Reuters website.

Why was it possible for Codero and Taboola widgets to completely take over the websites using them? That’s because these widgets were added to the webpage as third-party scripts which means that they got the same level of access to the webpage as its own scripts. They could alter text, spy on the user, steal login credentials, trick the user into installing malware and more. Of course, normally they wouldn’t do anything like this (ok, maybe spying) but the websites using these widgets made a bet on these scripts always behaving themselves — and lost.

The article on the Reuters compromise talks about 40 third parties that each Reuters web page trust this way. I found this statement hard to believe so I disabled Adblock Plus and opened a random Reuters article. I then copied the list of scripts from the list of blockable items in Adblock Plus, 134 entries not counting the scripts loaded by third-party frames! No wonder that page takes a while to load. A quick glance at the list immediately identifies most entries as not belonging to Reuters. What I’ve got there:

adnxs.com AdNexus Media ads cdn.taboola.com, connect.facebook.net, edge.quantserve.com, images.intellitxt.com, js.moatads.com, platform.linkedin.com, s2.reutersmedia.net Akamai Content Delivery Network nexus.ensighten.com, ping.crowdscience.com, config.parsely.com Amazon AWS Cloud Computing cdn.teads.tv, static.parsely.com Amazon CloudFront Content Delivery Network revsci.net Audience Science tracking bizographics.com Bizo ads cdn.linksmart.com, widget.perfectmarket.com CDN etworks Content Delivery Network cdnjs.cloudflare.com cdnjs code hosting cloudflare.com CloudFlare Content Delivery Network content.ad Content.ad ads criteo.com Criteo ads ensighten.com ensighten tracking facebook.net Facebook widget cdn.krxd.net Fastly Content Delivery Network krxd.net Krux tracking doubleclick.net, googlesyndication.com Google Adsense ads google-analytics.com, gstatic.com Google Analytics tracking google.com Google Loader code hosting apis.google.com Google Plus widget googletagmanager.com Google Tag Manager widget gscontxt.net Grapeshot ads jquery.com jQuery code hosting static.crowdscience.com LimeLightNetworks Content Delivery Network linkedin.com LinkedIn widget linksmart.com, link-smart.com LinkSmart ads crwdcntrl.net Lotame tracking moatads.com Moat Analytics tracking bluekai.com Oracle BlueKai tracking pagefair.com PageFair ads parsely.com Parse.ly tracking perfectmarket.com PerfectMarket widget quantserve.com QuantCast tracking rubiconproject.com Rubicon Project ads scorecardresearch.com ScorecardResearch tracking taboola.com Taboola widget teads.tv Teads ads twitter.com Twitter widget platform.twitter.com, tags.crwdcntrl.net, www.bkrtx.com Verizon EdgeCast Content Delivery Network intellitxt.com Vibrant Media ads crowdscience.com YuMe ads

Hard to believe but that’s exactly 40 entries (35 if you don’t count various Google and Amazon services separately):

12 ad networks

10 tracking and analytics services

7 widgets (mostly social networks)

7 content delivery networks

3 code hosting services (externally hosted JavaScript libraries)

1 cloud computing platform

And there I was seven years ago thinking that dilbert.com was bad…

Note that I might have misclassified one thing or another, particularly the distinction between ad networks and tracking services is often fluent. I also might have overlooked some other content delivery network involved. Why did I even put the content delivery networks on that list but not hosting providers for example? The important difference here is the scope: most high traffic services on the web use one out of a handful content delivery networks. This puts content delivery networks into a position where they can (and do) track users across most websites, a position that is comparable to Google’s. Also, a compromised content delivery network would become a disaster for countless websites, even if these don’t use the content delivery network directly.

Altogether that’s 40 parties that can track each visitor to the Reuters website, 40 parties that this website has to trust and 40 parties that a hacker can choose from to compromise it. Finding one weak link shouldn’t be hard then. So that’s where we are now, six years after my first article on this topic – most websites can be compromised with comparably little effort due to numerous dependencies on external parties. And too often it isn’t merely a nasty message, instead the websites start infecting their visitors with malware.

How do you protect yourself? My favorite solution is naturally Adblock Plus. With the default settings it already blocks half of the scripts on the Reuters website. You can go further by enabling the privacy protection feature on the first-run page (will add EasyPrivacy filter list, can also be done here) – this will leave you with “merely” 46 scripts (around 10 third parties), without any functionality loss whatsoever.