The danger of third parties: ads, pipelines, and plugins

The danger of third parties: ads, pipelines, and plugins

It may or may not be comforting to know that, ultimately, bulletproof security is out of your hands.

You can have the most locked down PC on Earth, have two-factor authentication (2FA) set up across the board, take sensible actions to protect your personal information, and read all the EULAs under the sun. You can do all this and more, and yet still end up being compromised. How? Welcome to the wonderful world of third parties.

Unsurprisingly, everything you use on a daily basis isn’t necessarily built by the same team. Companies buy off-the-shelf solutions to make technical product A send data to obscure server B. A health organisation might rely on a bespoke tool built by someone who left the company a decade ago, and nobody understands how to update the moving parts, so it gets left where it is (potential vulnerabilities and all).

A hacker may avoid going after the main software creator, instead deciding to poison the supply chain, where third-party developers congregate via fake update files.

We’ll take a look at some of the most popular types of “don’t worry, this wasn’t your fault” dangers below.

Website bits and pieces

If you’re online and your browser is running default settings, you’re trusting that the web you’re interacting with has “benign and definitely not malicious, nope” as its default state. In reality, the sites you visit daily are made up of multiple moving parts, and not all of them are under the control of the webmaster.

The ads come from one company on the other side of the world, the half-dozen plugins that manage everything from comments to chatboxes are built by a half dozen other orgs and coders, and there’s a Content Delivery Network ensuring things like ads and other third-party content are served up quickly. In reality, the website is composed of equal parts from the webmaster and from other third parties.

If you’ve got no controls in place on your end, such as an ad blocker or other cybersecurity programs, that means that all of these bits and pieces of independent coding are free to work their magic, assuming magic is what they’re actually working. If one of them isn’t? You’re in trouble.

In 2015, a company whose code could be placed on websites to warn visitors about their use of ad blocking was compromised. An account for their CDN was phished, leading to some 500 publishers (website owners) offering up a fake Flash update. When the website itself isn’t the problem, but the tools and services bolted onto them (in many cases designed to “optimise” or improve performance), it can spell disaster for both site visitors and the site’s reputation.

There’s also the all-too-common problem of ad networks falling foul to bad actors, pushing out scams and malware to people on the receiving end of bad ads. We’ve covered this kind of attack many times down the years, and it’s one of the primary movers of malvertising.

Supply chain attacks

Sometimes called pipeline attacks, these generally involve inserting yourself into the weak spot of an organisation’s business flow, compromising it utterly, then playing pass the parcel with bad files to others down the supply chain.

For example, a group of mobile developers might congregate on forum X, making tools or apps for mobile phone Y. The forum is compromised, basic files the forum supplies are switched out for something malicious, and now you have a situation where the developers are unknowingly sending malware-laden files onto the phone’s storefront. This tactic also helps confuse the blame game in the immediate fallout, because initial suspicions will probably be aimed at the innocent forum-dwelling developers.

There’s no end to the mischief that can be wrought in one of these scenarios, and they can end up being rather high profile. The onus here is on the organisation as a whole being responsible and checking all parts of their supply chain for vulnerabilities, leaky data, or other problems that can quickly impact everyone involved, including their customers.

Data breaches and third-party problems

There can’t be many of us who haven’t had some personal data exposed when a website or service has had its database compromised, because massive data grabs are sadly a fact of life. Even so, spare a thought for those having their info grabbed via our old friend “the third-party mishap.” Misconfigured or compromised plugins and additional tools aren’t just a risk for websites about cats—they also rear their head on widely-used services such as payment processors.

A customer support chat tool is a good idea for a payment system, right? Except not when a compromise takes place and the chat tool code is surreptitiously sending data to bad people. If a larger org asks a smaller one to build something to specification, they may well be relying on them to ensure their code is secure, as they probably won’t have access to its inner workings. The moment the developers lose control, that chaos is going to quickly spiral out of control.

Some good news?

Regardless of who did what, or which service on that side of the world was hijacked to cause issues for people on this side of the world, we still have some control over the impact wrought on our desktops, if nothing else. No matter how clever or sneaky the pipeline attack, you’ll still have to let a rogue ad past your ad blocker, or switch off your security tools and let some ransomware do its thing, or allow unknown files to run on your mobile device, or…well, you get the idea.

If you start digging into how fragile many of the services and networks we use on a day-to-day basis are under the hood, you might never go online again. There’s no point denying yourself the opportunities the web allows because of people up to no good, so concentrate on your own digital defences, and you’ll hopefully be in good standing no matter what disasters are befalling others behind the scenes.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.