A Hidden Website & Security Risk
A few months ago, we published an article on page speed: “The Truth About Website Page Speed” (link below). In that article we decry the rise of automated website speed scoring tools to reflect on the parts of page sped that matter. A part of page speed that matters is clean code. The usability of a site is enough to warrant a serious look into how the cleanliness your code is impacting the user experience. But there’s more … a lot more, and it is mission-critical stuff.
There are three ways in which the cleanliness of your website code matters:
- User Experience (previously covered here)
- Security Risks (this article)
- Google Dominance in Search and Browsers (covered next)
These three reasons that you should worry about code cleanliness are, in a way, related. But they are also very different. The topic for today is the most over-looked aspect — website and web application security.
Dirty, Dirty Code
Far too many businesses like to think of websites as “write, publish, and forget it” … repeat every few years. But once we sit and think about it, we realize that websites are always changing. And we’re not talking about simply posting new content or adding pages. Your website is not “just” a website at all. It is filled with links to other things. It loads images and fonts and dynamic content from outside sources. It calls to databases that are updated regularly. It has apps and widgets and plugins that perform various functions. It has tracking tools and analytics packages that deploy custom JavaScript pulled from outside servers.
As all of these kinds of things change over time — services are added or taken away, images and fonts swapped out, and code bits become fragmented and layered. Think of it like sedimentary layers deposited over time at the mouth of a river. Unused code and calls are deposited and never removed. This can, over time, make sites run slow. Rarely does this sediment of code ever get cleaned up until the site is noticeably slower. The slowness is one thing. But it’s a security risk too.
Bad Code Phone Home
What makes all of the services work on a website are lines of code. Many of these are external calls. An external call is any time the code of your website makes a connection to another server. This external server can be anywhere in the world. It might be located right next door in the same datacenter. But in the age of the cloud, it is far more likely to be hundreds or even thousands of miles away. This is not a problem … not at all. But it can quickly become one.
No matter how secure your website and infrastructure, when your website makes an external call it is interacting with another server on another network … things that your team has no control over. With each external call, your website is conducting an access and authorization exchange process that involves passing credentials back and forth and then receiving or sharing data as a result. This means that every external call carries some form of risk.
External calls become a problem in the following circumstances:
- Security is not considered during vendor selection.
- Services are called that are no longer active.
- Services are redirected.
- Content is called that is no longer used.
- Services are discontinued, but the calls are not removed.
- Duplicating service calls.
Our team has performed literally hundreds of Security Audits and Website Evaluations. Here are examples of risk exposure for each external call instance.
Security Not Considered During Vendor Selection
If you have a small business website, it might be a simple content-driven site with a contact form. But if your business is larger, it can be a complicated endeavor with specialized apps and integration requirements from marketing, finance, operations, human resources, etc. If you are like most companies, departments choose the vendors that they do business with based upon things like features, usability, cost of deployment, and ROI. If an app, new software, or integration meets those requirements, then IT is tasked with coordinating the installation and integrations.
But if the security policies and practices of that vendor are not properly considered and verified, you are allowing your website to connect with a security risk. In short, over time your website risk profile lowers to the least secure application that your servers interact with.
Services Are No Longer Active
Systems and servers are updated regularly. This means that APIs can change. Sometimes the entire syntax changes. In order to maintain the same services, new code must be added. In our work, we have found that quite often the old external calls are not fully or properly removed when the new or updated services are added.
This is true even in cases where the service vendors have tools and automated scripts to aid in the process. In short, all external calls on your website should be reverified and updated regularly to ensure that the old calls have been completely removed and new calls have been installed securely.
Services Are Redirected
In order to prevent service interruptions, vendors will often redirect external calls when they make significant changes or datacenter/server migrations. They are doing this to accommodate their customers and give them time to update their systems. Redirected services can be temporary or permanent. We have seen a single external call redirected as many as four times in the page code. This means that the service has changed virtual and/or physical location four times, but the code in the website was never updated in the code.
In short, your website can be calling out to a service and bouncing to several different internet locations before getting the connection established. There is no guarantee that each of those locations will be maintained indefinitely, magnifying the risk with each iteration.
Content No Longer Used
Some apps and services let your website autoload content from external sources. It is also common for images and fonts to be used for a while and then replaced — especially in eCommerce applications. That content can be delivered from a separate server or even a purchased service.
For example, it is common for the code pointer to be pointed to a new hero image without removing the external call for the previous image. The site is still calling out for an image that is not displayed. It may seem strange to think of an image as being a security risk. There was a slew of these kinds of attacks five to ten years ago. But consider, in January 2021, a security researcher identified a vulnerability in Windows 10 that exposed a security vector as soon as an icon image was opened.
Content that is being called but no longer being displayed is, by definition, undetectable in normal website usage. It has to be looked for. If such an external call was hijacked (redirected) to a non-secure location. We have placed links to the Microsoft vulnerability mentioned here — along with others — in the Links and Resources section at the bottom of this article.
Discontinued Integrations
One of the most common potential risk vectors in external calls is related to the discontinuation of apps or services. This is especially true today since most third-party solutions offer free trials and development licenses with automated installers. This risk is perhaps greatest in website platform solutions with large app-stores. It is easy to experiment with various front-end and back-end applications, services, and integrations quickly and cheaply.
If a free trial is discontinued, the third-party solution stops working and the invoices stop. But we have found it more and more troubling how many times the application is not fully and professionally removed/uninstalled. During our professional security audits, our team has discovered tons of integrations for data analytics and visitor-tracking. Sometimes the companies that provided those services are no longer even conducting business. This means that the server we were auditing was calling out thousands of times each day to a URL for a now-defunct company whose assets have been liquidated, their IP addresses reassigned, and their domain unmaintained.
Duplicated Service Calls
Our team just completed a website audit where the application was making an external call to a major video streaming service to play a video on the web page. This integrated appl was not working properly at first due to an unknown reason. The decision was made to reinstall the application. Ultimately, the service was installed four times before it worked as intended.
The issue became apparent when we could see that four copies of the JavaScript and downloader ran each time the page was loaded with three of service call sets failing or canceling before completion — while the fourth set of code operated as intended.
At first, such a situation is a matter of page slowness. But as we saw in the previous sections, unseen defunct code is not updated. An application or code that is not maintained runs a far higher risk of developing into a security vulnerability.
Conclusion
Unused, defunct, and unmaintained code is a security vulnerability. This is true of your website, applications, databases, and network. The only defense is disciplined diligence. If you need help auditing and identifying the risks to your business website or systems, give us a call. We are always happy to help.
Links and References
The Truth About Website Page Speed” — Our article from September 2020
https://www.iowacomputergurus.com/insights/article/the-truth-about-website-page-speed
The Verge: “Microsoft to fix Windows 10 bug that can corrupt a hard drive just by looking at an icon,” reported January 15th, 2021:
https://www.theverge.com/2021/1/15/22232589/microsoft-ntfs-windows-10-bug-icon-file-flaw-vulnerability-comment
Mozilla Security Advisory, “Memory corruption while rendering grayscale PNG images,” reported in April 2013:
https://www.mozilla.org/en-US/security/advisories/mfsa2013-39/