Security: A secure eCommerce site does not have 3rd party JavaScript

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive
 

For any retailer with an eCommerce website, security should be king. However most leave their website exposed to security holes. This occurs as they are putting 3rd party JavaScript on their site that is not controlled or audited by them. And with what happened to British Airways this month, this is the most likely cause of credit card data being taken.

All websites need JavaScript to control how the browser works. They fulfil several key roles, including improving user experience, adjusting the website for different devices, communicating with the server in the background to provide a smooth experience and finally, for collecting data.

There are lots of companies who sell services to website owners, and these companies require their JavaScript to be included into the web pages, so that their service will work. A typical example of this is Google, for their analytics software. There is also a lot of Open Source software that requires that their JavaScript is included on websites, for example jQuery a toolset that helps JavaScript developers. They offer the ability for a website to either download this JavaScript, so that it can be hosted alongside the website, or they provide the latest version on a Content Delivery Network (CDN).

Tagging is another area that requires JavaScript and is used by analytics software, heatmap/tracking software, affiliate programmes and more. Typically marketing teams are in control of this, bypassing IT and Security teams, with the use of a Tag Management software that controls the JavaScript that will be deployed on the website.

Image

So, what are the risks?

Now, this is where the risks are, lots of 3rd party JavaScript is required to make websites run. These JavaScripts are developed by 3rd party developers. Typically, the website owner does not know what these JavaScripts do, as they have never looked at this code.

When these JavaScripts are hosted on 3rd party servers, these scripts are outside the controlled security realm of the website. Companies, which hosts a website, put their trust in 3rd party servers for their security and if they are hacked the person who is responsible for the security needs to fix the security hole ASAP. If a typical website has twenty 3rd party JavaScripts that are hosted, they are putting their trust in twenty different companies with their security of their website. Teams in control of tag management software have no training in security and the security risk of including unknown 3rd party JavaScript on a website.

When a hacker gains access to change JavaScript at one of these 3rd party services, they can start capturing information about anyone using that site. This is what I think has happened at British Airways, because it was reported that the credit card information with CVV numbers, something that no website ever stores, were captured. This means that the hackers were capturing every key stroke and mouse movement on the British Airways checkout page. The only way they can do this is with JavaScript, and only a tiny amount of code is required to do this.

Secure our website in 5 easy steps.

Here are quick and easy steps you can take to ensure you have a secure website:

1) Remove the use of Tag management software

While tag management software allows for quick changes to websites without the need for development, it does add a security risk. Anyone who has access to this software can put malicious JavaScript code on your website.

2) Review all JavaScript code that is to be included on the website.

This is very time consuming and will require someone with expert knowledge of JavaScript. But without code reviewing every piece of code, you will not be able to guarantee that your website is secure.

3) Never allow 3rd party hosted JavaScript on your website.

If you are not in control of the hosting, you cannot guarantee that the code is the same code that you have reviewed. It is far more secure to download the 3rd party code, review it and then to host it.

4) Automatically check the JavaScript hosted on your website is the JavaScript that has been code reviewed.

There is always the possibility that your hosting or CDN may have been hacked. It can be found simply by an automated check and by comparing the JavaScript to review and highlight differences.

5) Monitor what information the JavaScript is sending to 3rd parties.

There is always a possibility that a security hole has been missed, so monitor the data to check that no personal data or credit card information is sent to untrusted servers.

Closing the article, I would like to point out that this is not the fault of JavaScript, which is just a development language used within browsers. It is the fault of hackers using the tools, that make the life of website owners easier, to their advantage. eCommerce owners especially, need to pay attention because if they don’t follow the steps to securing their website, they can lose the trust of their customers if a hacker takes control of JavaScript used on their website.

Jason Bramsden, COO & CTO at SQLI


© 2019 SQLI LTD. All Rights Reserved.