Akamai Diversity

The Akamai Blog

Security Bulletin: Third-Party Plugins Ripe for Attack

In a new bulletin released this morning, Akamai researchers outlined a threat in which malicious actors use vulnerabilities in third-party plug-ins to target the large websites that utilize them. Such exploits require little technical skill and are highly effective.

Instead of targeting a high-traffic website directly, attackers simply target the third-party advertising company, content network or provider used by the site.

High-profile sites are common targets and their security posture is tougher than the average site. But they also use third-party content providers whose security is less than ideal. Those who manage a major website put a lot of effort into fortifying the front entrance. But the third-party content they use are like open windows in the back of the building.

Akamai CSIRT Manager Mike Kun described the problem in this podcast recently.

"Bad actors are looking at what other services the website is using," he said. "A simple one is DNS. If the attacker can compromise the registrar a site is hosted with, they can easily change the IP address mapping and point that at some other site."

The method of attack against the third party may be through domain hijacking, phishing, application-layer attacks or any of the various methods to compromise a provider. Once that provider is compromised, there isn't anything more the attacker needs to do in order for their target to be attacked. The third-party provider unwittingly does it for them.

Attackers will look at what content is being dynamically ingested into a site, and look to compromise one of those providers. If the target site blindly trusts the content being sent from a provider, the attacker knows the site can be compromised by malicious content sent by the provider.

The attack code will frequently be a form of malware viewers unwittingly load onto the site. If the targeted site gets millions of views per day, a significant botnet can be created in a short amount of time.

The best defense in this situation is proper planning.

Plan what to do with the site when this attack hits. What happens to the site when a plugin will not load? Does the rest of the page load correctly around it? Or does the whole site wait for the plugin code to be delivered, effectively creating a DoS condition for the site?

Consider if the plugin is compromised. What is the plan to eliminate the plugin but keep the site running?

One possibility is to have a static version of the site ready to go, so no dynamic code can be pulled in from the third party source and continue to compromise the site or customers or both.

Be ready and have a plan for a compromised third-party provider. Whether that means the site does not load or the plugin is compromised, be ready to have an alternative that will keep the site running fast and smooth.

Obviously, the best scenario is one in which these things don't happen in the first place.

To that end, we recommend site owners research the plugins they want to use before deploying them. Ask the third-party provider what they use for security measures. If their response is less than ideal, find another provider that will address the concerns more clearly.

An internal report detailing this activity has been submitted to all Akamai managed security customers.