Blog
Industry News, Insights and Resources
The latest industry news, interviews, technologies, and resources.
Featured blog posts
More than 490k websites targeted in web supply chain attack
The cdn.polyfill.io domain is currently being used in a web supply chain attack. It used to host a service for adding JavaScript polyfills to websites, but is now inserting malicious code in scripts served to end-users.
PCI DSS 4.0 complete guide and steps
PCI DSS 4.0 is built on six foundational principles aimed at fostering a secure environment for people making (and those facilitating) online transactions. Let's dive into all of them and see how you can be fully compliant.
The Segway cyber attack explained
In January 2022, the Segway web store suffered a web supply chain attack - also often referred to as a Magecart attack. In these types of attacks, malicious JavaScript code is added that loads from the client-side, known as third-party scripts. Many common tools are third-party scripts. Things like analytics, ...
Don't deploy scripts site-wide
Third-party scripts are often deployed site-wide, typically injected in the head tags in web frameworks like Next.js via the ’_document.js’ file. This widespread implementation, while convenient for developers and often recommended by onboarding guides, means these scripts run across the entire site. This is simpler to implement, but it also ...
What is an attack vector and what are hidden ones
An attack vector in cyber security is the way an attacker takes advantage of security weaknesses. Some are more obscure than others. One that’s been our focus, is third party JavaScript. Since these scripts are installed by the website owner yet executed in the visitors' browsers, they're in a unique ...
Web supply chain attack through trojanized jQuery on npm, GitHub and CDNs
Attacks have been found in trojanized jQuery on GitHub, npm and jsDelivr in a new web supply chain attack. Each package had a copy of jQuery with one small change: the ‘end’ function . This is part of the jQuery prototype, and was modified to include additional malicious code. In ...
How expired domains lead to cyber attacks
This is a multifaceted issue. Simply buying an expired domain isn't illegal. However, if a domain name is trademarked, then purchasing it (known as cybersquatting) could potentially breach copyright laws. But this of course will not defer attackers who usually remain anonymous and unnoticed.
The Polyfill attack explained
Recently over 490,000 websites were targeted in a web supply chain attack. We were amongst the first to report on this . NOTE: If a website is referencing the domains polyfill[.]io bootcss[.]com bootcdn[.]net or staticfile[.]org today, they are still open to this attack. What was the Polyfill service project? Polyfill ...
What is the browser supply chain?
C/side is a cyber security product that lives in the browser supply chain space. We and other vendors operating here, like to talk about that supply chain . But what do we mean by it exactly? The browser supply chain is the different components and processes that come together to ...
More than 490k websites targeted in web supply chain attack
The cdn.polyfill.io domain is currently being used in a web supply chain attack. It used to host a service for adding JavaScript polyfills to websites, but is now inserting malicious code in scripts served to end-users.
Why you can trust c/side
Script security is our bread and butter. For lots of vendors, serving the script is just a part of their product. We put every care and attention to detail in how we proxy, store and process scripts. We work to cover the blind spots that others might have missed.
The BrowseAloud Supply-Chain Attack: A Case Study in Cryptojacking
In February 2018, over 4,000 websites, including high-profile government bodies like the UK's Information Commissioner’s Office (ICO), fell victim to the BrowseAloud attack . This was not just another cybersecurity breach; it was a potent reminder of the hidden dangers of third-party scripts in our increasingly interconnected digital ecosystems. notionvc: ...
Why CSPs Are Not Enough
Content Security Policies (CSPs), scoped and promoted by the W3C , offer a browser-side feature designed to enhance web security. If implemented correctly, with specific rules per page, they can provide substantial security benefits. However, in practice, they tend to be cumbersome to set up, frequently break during local development, ...
Ticketmaster Data Breach Déjà Vu: What You Need to Know
Yesterday on May 29, 2024, news broke of an alleged data breach involving Ticketmaster , a prominent ticket sales and distribution company. The breach, reportedly executed by ShinyHunters , is claimed to have exposed the personal information of over 500 million customers. This breach includes sensitive data such as emails, ...
Supply Chain Risk Doesn’t End At NPM
Supply Chain attacks are a top of mind problem today. The number of these attacks in the US increased by 115% between 2022 and 2023, according to Statista . Tools like Socket and Coana detect harmful code in registries like NPM. But the supply chain risk doesn’t end there. However, ...
Kaiser Permanente Data Leak: A Case of Miscommunication and Inadequate Disclosure
On April 29th, healthcare giant Kaiser Permanente disclosed a data leak impacting 13.4 million current and former insurance members . The incident was rooted in improperly managed 3rd party scripts. The Incident Kaiser Permanente used tracking codes to monitor how its members navigated through its website and mobile applications. Some ...
Introducing c/side free tier BETA
We’re excited to announce the launch of c/side. Monitoring, Securing and Optimizing 3rd Party Scripts . In today's digital landscape, third-party scripts are a key part of the supply chain. Yet it is often forgotten about and therefore presents a threat. Browser Supply Chain Risks are an age old and ...
Cloudflare Page Shield vs c/side
This article takes an honest look at the features of Cloudflare Page Shield vs c/side.
Threat Feeds In The AI Era
Here’s what threat feeds are, and why it’s only a small cog in the cyber security machine in 2024. We also share the more complete solution to protect yourself from cyber attacks.
Jscrambler Webpage Integrity vs c/side
Other than other competitors providing a form of browser-side security almost as an afterthought, Jscrambler’s focus is similar to ours at c/side.
Akamai Page Integrity Manager vs c/side
Akamai Page Integrity Manager vs c/side. Which is better?
Imperva Client-side Protection vs c/side
Let’s take an honest look at the features of Imperva’s Client-side Protection product vs c/side.
The 2021 cdnjs Vulnerability in Detail
Checking 3rd party scripts sources is great, but not enough. That’s what the world learned in 2021, when a massive vulnerability in Cloudlfare’s cdnjs got noticed. Here’s the rundown of what, and how, it happened. Cdnjs is one of the most commonly used JavaScript Content Delivery Networks (CDNs) of today. ...
The risk of only protecting your payment portals from 3rd party javascript attacks
At this time, only payment portals are required to have a system to keep 3rd party JavaScript in check. But, there’s still a data breach risk if you don’t secure all pages.
PCI DSS 4.0 complete guide and steps
PCI DSS 4.0 is built on six foundational principles aimed at fostering a secure environment for people making (and those facilitating) online transactions. Let's dive into all of them and see how you can be fully compliant.