The Risks of Using Third Party Resources on Websites

Data Privacy

The recent case of a website being fined by a German Court for violating the EU’s General Data Protection Regulation (GDPR), highlights the importance of organisations recognising the data privacy and security impacts of using third party resources on their websites.

In this case, the court ruled that by including remotely served Google fonts on their website, the visitor’s IP address will have been passed to Google without their consent and without a legitimate reason.

While the size of the initial fine was relatively small (€100), the site operator was threatened with a fine of €250,000 for each violation, or up to six months in prison, for continued improper use of Google Fonts.

This ruling is particularly concerning given the sheer number of websites using the Google Fonts API, and the likely fact that this data could be logged, stored, processed, etc. outside the EEA. As the article notes:

Google Fonts can be self-hosted to avoid running afoul of EU rules and the ruling explicitly cites this possibility to assert that relying on Google-hosted Google Fonts is not defensible under the law.

The vast majority of websites using the Google Fonts API are unlikely to be requesting the permission of visitors for its use, which comes as no surprise given that so much emphasis on the data privacy front has been placed on cookies, while neglecting other third party resources like CDNs, DDoS mitigation services, embedded remote media, CSS, etc. All of these latter uses will at the very least reveal the IP address of the visitor being forced to load this content by simply visiting the website.

Cyber Security

Running third party resources on your website not only exposes it to data privacy risks, but also major cyber security risks, affecting confidentiality, integrity and availability. Third party JavaScript should be of particular concern, as the compromise of a third party JavaScript server can result in the injection of malicious code. As highlighted by the OWASP Foundation:

The invocation of third-party JS code in a web application requires consideration for 3 risks in particular:

• The loss of control over changes to the client application,
• The execution of arbitrary code on client systems,
• The disclosure or leakage of sensitive information to 3rd parties.

While full due diligence should be completed on the relevant third parties, defence-in-depth and zero trust approaches should also be adopted, with defensive controls such as code reviews, Subresource Integrity and use of a Content Security Policy.

Web and Application Component Analysis

Given the elevated risks to data privacy and cyber security, it’s critical that organisations maintain a thorough awareness and understanding of the risks involved in running third party resources on their websites and applications.

Modern day websites in particular often make use of multiple third party resources (some to an excessive degree when not not always necessary). This requires component analysis to understand and identify potential areas of risk from the use of these third-party resources. These actions should fall within an overall Cyber Supply Chain Risk Management framework, ensuring that third party resources remain untrusted by default.