Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:00 PM

Attacks on JavaScript Services Leak Info From Websites

Three marketing tools, including the Best Of The Web security logomark, were compromised in supply chain attacks, allegedly leaving website customers leaking their users' sensitive information.

In the latest breaches to highlight the dangers of insecure software supply chains, attackers compromised three marketing services by injecting obfuscated JavaScript to install code that scraped information from thousands of websites, including user login information and credit-card details.

On May 12, Willem de Groot, a security analyst with Sanguine Security, announced that digital-marketing tool Picreel, open-source Web form plugin Alpaca, and Best Of The Web's security logomark program had all been compromised and implanted with obfuscated JavaScript code to collect information on the visitors to any site that used the three online tools. The attack likely allowed the criminals behind the code to record keystrokes from thousands of websites, de Groot says.

"The economics of this is that, if you hack one project or supplier, you get a huge multiplier for your effort, so it is all about return on investment for the attacker," he says. "So if he has to spend a couple weeks digging through code on a single project, but then be able to compromise thousands of stores, then that is a good investment from his perspective."

The attack underscores that companies need to better track the risk they assume when using third-party code — especially popular open source components. Anywhere between 40% and 90% of Web application code is typically from open source components, and when companies rely on third-party services, they have to take into account that code as well, says Mike Bittner, associate director of digital security and operations at The Media Trust, a software security firm.

"Most companies have not done an audit of how much third-party code their websites and applications use, the full inventory of what is being used, and then buckling down and staying up to date," he says. "When an app is rolled out, most companies will do their due diligence and do security testing. But after that, many will not keep up to date on the security and don't realize their risk."

Supply chain attacks have become a much bigger problems for companies. Often, online criminals and nation-state actors will compromise the network of a less-secure supplier as a side door into a more-secure target company. However, attackers are also targeting open source software projects and commercial software as a way to insert vulnerabilities or malicious code that can later be activated. 

In 2018, for example, security researchers notified system-management utilities maker Piriform — recently acquired by Avast — that the latest version of its Windows utility CCleaner had been infected with malware during development. And late last year, software supply-chain management firm Sonotype revealed that hackers had attempted to inject malicious code into open source software 11 times in the past 30 months.

On Sunday, de Groot announced that hackers had compromised marketing firm Picreel's website plugin, collecting information from users of the more than 1,200 sites using the tool. Picreel removed the code, according to de Groot, but did not return a request for comment from Dark Reading.

The same day, de Groot reported that content management system provider Cloud CMS had also been impacted by a similar hack, but only a small numbers of Cloud CMS customers that used the Alpaca forms plugin and the default content distribution network (CDN) were actually impacted, according to the company. 

"This file is not part of Cloud CMS, cloudcms.com, or any of our products, customer websites, data, or applications," said Michael Uzquiano, chief technology officer at Cloud CMS, in a statement emailed to Dark Reading. "The security of Cloud CMS, its customers, and its products has not been compromised."

After being notified by de Groot, the company quickly disabled the free Alpaca CDN, determined the hacker had injected code at the end of the minified Alpaca file, and then reinstantiated the CDN using Amazon S3 and a clean set of files.

"Typically, folks download this from GitHub and build it on their own," Uzquiano said. "They then integrate it into their products. The free CDN version runs on Amazon Cloud Front, using an origin-backed distribution. It is offered as a convenience to help people try out Alpaca quickly."

In perhaps the most ironic breach, attackers compromised the JavaScript behind the Best Of The Web security logo program that checks sites before displaying the logomark. The company is investigating the issues, said Brian Prince, CEO of Best of the Web.

"Earlier today, we were notified that the script we use to display trust seals that we host on Amazon’s content delivery network (CDN) was compromised," he told Dark Reading in an emailed statement. "We took immediate action to remedy the situation and are in the process of informing those who were affected. We will be conducting a full security audit of our hosted accounts to ensure that this does not happen again.”

The common denominator between the different compromises appears to be that the JavaScript was stored in Amazon Simple Storage Service (S3) buckets. So either the developers left the storage servers open to public access or they may have published the digital keys to the S3 buckets to the cloud, de Groot says.

"These companies have not disclosed the original entry vector," he says. "However, what you often see is developers mistakenly store the secret access codes into their Github repositories and then they leak. And if you have these access codes, you have control of the content."

Related Content




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...