All geek questions in one place

How do you reduce the risk associated with third-party Javascript, given the predominance of social sharing icons (like buttons, etc.)?

I have a marketing team that wants to use social sharing buttons (Facebook, G +, SU, etc.) on our website. The security group raised a point where I was embarrassed to admit that I had not really considered this before: since third-party JS is an attack vector, we should not download it directly from third-party servers.

Risk

As an example, I will use Facebook. Someone from FB may add some hidden backdoor code to view users or at least get their email and name from our website. DNS cache poisoning can be used to serve malicious Javascript instead of the expected FB library. Etc - there are probably a lot more attacks here.

Possible solutions

-Want JS locally (after checking it for security holes) and run curl + diff on cron to monitor for updates - checking for these updates before hosting. This is not real, because FB and g + load additional libraries outside the site after loading their main library, and I did not find a way for this.

-Don't use social sharing buttons?

Is there any best practice here? My first reaction is that, come on, these are Google and Facebook. If something maliciously happens to their shared buttons, the entire Internet will know about it in 0.001 seconds. What are you saying?

+4
source share
3 answers

In fact, there is no universally accepted solution for this:

  • Blindly trust Facebook / Google / etc.
  • Do not use your scripts.
+4
source

If you download all libraries (and your entire site) to SSL, you are only vulnerable to malicious behavior on Facebook / Google.

You can trust them or not use the libraries and do it yourself using publicly documented URLs or their server APIs.

+3
source

It will be realistic here. Although I know that something can happen, it is much more likely that your site will be hacked than Google / Facebook / Twitter by entering malicious code on your site through a disgruntled employee or something similar. It can happen, but the chances are pretty thin.

If the client who visited your DNS site is compromised, then post your own facebook.com A-Record so that they can embed javascript on your site, this is the least troubling to you. If I ran a malicious DNS server and had people who used it; and I had malicious intentions, I would either target your site, and I just create a site that looks like yours and transfers all user data to my database; or I'll be behind the banks and financial institutions. Implementing facebook javascripts would not be my main concern.

Again, this can happen, but in my opinion there are too many other, lower hanging fruits to make him really worry. If you have some kind of government regulation that makes you responsible for such things, it might be wise to play it on the safer side and simply not use them or implement your own โ€œsimilarโ€ buttons using facebook APIs. I'm sure G + and Twitter have similar non-javascript based ways for this.

+1
source

Source: https://habr.com/ru/post/1393852/

More articles:


All Articles