Blog
In January 2022, the Segway web store suffered a web supply chain attack - also often referred to as a Magecart attack. In these types of attacks, malicious JavaScript code is added that loads from the client-side, known as third-party scripts. Many common tools are third-party scripts. Things like analytics, ...
Third-party scripts are often deployed site-wide, typically injected in the head tags in web frameworks like Next.js via the ’_document.js’ file. This widespread implementation, while convenient for developers and often recommended by onboarding guides, means these scripts run across the entire site. This is simpler to implement, but it also ...
An attack vector in cyber security is the way an attacker takes advantage of security weaknesses. Some are more obscure than others. One that’s been our focus, is third party JavaScript. Since these scripts are installed by the website owner yet executed in the visitors' browsers, they're in a unique ...
Attacks have been found in trojanized jQuery on GitHub, npm and jsDelivr in a new web supply chain attack. Each package had a copy of jQuery with one small change: the ‘end’ function . This is part of the jQuery prototype, and was modified to include additional malicious code. In ...
This is a multifaceted issue. Simply buying an expired domain isn't illegal. However, if a domain name is trademarked, then purchasing it (known as cybersquatting) could potentially breach copyright laws. But this of course will not defer attackers who usually remain anonymous and unnoticed.
Recently over 490,000 websites were targeted in a web supply chain attack. We were amongst the first to report on this . NOTE: If a website is referencing the domains polyfill[.]io bootcss[.]com bootcdn[.]net or staticfile[.]org today, they are still open to this attack. What was the Polyfill service project? Polyfill ...
C/side is a cyber security product that lives in the browser supply chain space. We and other vendors operating here, like to talk about that supply chain . But what do we mean by it exactly? The browser supply chain is the different components and processes that come together to ...
The cdn.polyfill.io domain is currently being used in a web supply chain attack. It used to host a service for adding JavaScript polyfills to websites, but is now inserting malicious code in scripts served to end-users.
Script security is our bread and butter. For lots of vendors, serving the script is just a part of their product. We put every care and attention to detail in how we proxy, store and process scripts. We work to cover the blind spots that others might have missed.
In February 2018, over 4,000 websites, including high-profile government bodies like the UK's Information Commissioner’s Office (ICO), fell victim to the BrowseAloud attack . This was not just another cybersecurity breach; it was a potent reminder of the hidden dangers of third-party scripts in our increasingly interconnected digital ecosystems. notionvc: ...
Content Security Policies (CSPs), scoped and promoted by the W3C , offer a browser-side feature designed to enhance web security. If implemented correctly, with specific rules per page, they can provide substantial security benefits. However, in practice, they tend to be cumbersome to set up, frequently break during local development, ...
Yesterday on May 29, 2024, news broke of an alleged data breach involving Ticketmaster , a prominent ticket sales and distribution company. The breach, reportedly executed by ShinyHunters , is claimed to have exposed the personal information of over 500 million customers. This breach includes sensitive data such as emails, ...
Supply Chain attacks are a top of mind problem today. The number of these attacks in the US increased by 115% between 2022 and 2023, according to Statista . Tools like Socket and Coana detect harmful code in registries like NPM. But the supply chain risk doesn’t end there. However, ...
On April 29th, healthcare giant Kaiser Permanente disclosed a data leak impacting 13.4 million current and former insurance members . The incident was rooted in improperly managed 3rd party scripts. The Incident Kaiser Permanente used tracking codes to monitor how its members navigated through its website and mobile applications. Some ...
We’re excited to announce the launch of c/side. Monitoring, Securing and Optimizing 3rd Party Scripts . In today's digital landscape, third-party scripts are a key part of the supply chain. Yet it is often forgotten about and therefore presents a threat. Browser Supply Chain Risks are an age old and ...
This article takes an honest look at the features of Cloudflare Page Shield vs c/side.
Here’s what threat feeds are, and why it’s only a small cog in the cyber security machine in 2024. We also share the more complete solution to protect yourself from cyber attacks.
Other than other competitors providing a form of browser-side security almost as an afterthought, Jscrambler’s focus is similar to ours at c/side.
Akamai Page Integrity Manager vs c/side. Which is better?
Let’s take an honest look at the features of Imperva’s Client-side Protection product vs c/side.
Checking 3rd party scripts sources is great, but not enough. That’s what the world learned in 2021, when a massive vulnerability in Cloudlfare’s cdnjs got noticed. Here’s the rundown of what, and how, it happened. Cdnjs is one of the most commonly used JavaScript Content Delivery Networks (CDNs) of today. ...
At this time, only payment portals are required to have a system to keep 3rd party JavaScript in check. But, there’s still a data breach risk if you don’t secure all pages.
PCI DSS 4.0 is built on six foundational principles aimed at fostering a secure environment for people making (and those facilitating) online transactions. Let's dive into all of them and see how you can be fully compliant.