Today’s websites typically rely on more than thirty third-party tags to provide the level of customer experience that consumers expect. What do these tags do? They are scripts developed by third-parties that you include on your website which allow you to rely on their expertise for specific functions and services, without having to bring that expertise in-house. You get to focus on what you do best and your third-parties get to do what they do best. Except there’s one major problem: browsers provide limited abilities to control third-party tags, which in turn exposes you to major security risks. 

They’re an easy way in for malicious hackers to gain access to your website, and like we saw in the Magecart breach of British Airways last fall, when compromised they can be used to steal customer data without being readily detected. 

Why Third-Party Tags Make You Vulnerable

Third-party services are often added to websites by including a script, or JavaScript file, in your HTML code, but these scripts are exempt from the primary security control provided by browsers - the Same-Origin Policy. Broadly speaking, the same-origin policy dictates that content from one origin does not have access to content from another.  For historical reasons, this same origin policy does not apply to scripts; scripts are able to access almost any content on the web page they are embedded in.  In other words, if you put a third-party script into your code, it gains access to all the same content that your own first-party code has access to. This means every third-party tag has full access to all of your content and any sensitive information provided by the user. 

Everything is exposed (cookies, PII, passwords), anything your code can access, the third-party can access, too. If code from a third-party loads on a webpage, your website is at risk. 

That’s why the Magecart hacking group was able to insert 22 lines of code, pay for an SSL certificate to make their server seem legit, and get away with stealing 385,000 passengers’ transaction, credit card, and personal details for 15 days before they were detected by a manual code review. 

Ideally, your third-parties are using the same security protocols in their infrastructure as you are, but the reality is that many third parties are not. Most of them aren’t malicious, they are innocently vulnerable and the unfortunate reality is that you need them to provide functionality essential to running a modern website. 

Ultimately, however, you are responsible for the security of your customers’ data. 

So, what can you do to mitigate third-party tag exposure and security risks?

  1. Monitor. You can continuously monitor what data third-parties get access to, what APIs they call, and how they are using the data. To do so, you need to have full visibility into their systems.
  2. Limit access. The native way the web makes access available is through an all or nothing approach. “Do you trust this third-party? Yes or no?” If you respond “Yes”, you give full access. If not, they are denied all access. By providing attenuated access—or limited access—you give them access to only the content that they need to do their job. By doing so, you limit the amount of damage that can occur if they are hacked. 

Instart provides controls that enable you to monitor and limit what cookies, form fields, and other parts of the browser DOM third-parties can access. For example, if you have a third-party that is monitoring the distribution of users from different countries, the only info they need access to is the location of the users. They do not need -- nor should they have -- access to all of your user data. They certainly should not be able to access your cookies and sensitive form fields like passwords and credit cards. With the Instart Tag Analytics and Control, you control what content they access. 

A limited access approach reduces your security risk for third-party tags and helps you safeguard customer data; a responsibility customers entrust you with and count on you to uphold. Keeping your website secure by minimizing third-party tag access to data helps ensure your brand reputation is better protected when the next breach happens. 

Learn how Instart can help you minimize third-party tag security risks today by requesting a personalized demo of Instart DX Cloud