Taking a Closer Look at Third-Party Content Injection
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Taking a Closer Look at Third-Party Content Injection

Third-Party Content Injection can be dangerous, but it’s easily prevented.

Have you ever noticed a familiar website acting strangely? Maybe you saw an ad floating in the corner that you never noticed before. Or there was a persistent bar across the top of the site with a message from another company. If you have ever seen this you were likely seeing third-party content injection in action.

Third-party content injection is a method of modifying data in a connection—and it often has negative effects. The practice is used by all sorts of groups, including ISPs (Internet Service Providers) and malicious users. Frankly, it’s important to understand how content injection can be used in an online attack and how you can protect your users against this threat.

In an unsecure HTTP connection, the user’s browser and the web server send data back and forth without protecting it. If a third-party has access to the connection, it can easily modify it. A good example would be your local network provider, which is a third-party that can easily view and modify all HTTP content if it chooses to.

Remember, with an unencrypted connection (meaning over HTTP) your data is essentially public to anyone else on your network or providing your connection. When someone other than the user or server adds or changes the data, that’s third-party content injection.

If you are familiar with computer networking, then you know data is sent and received in “packets.” When third-party content injection occurs, the third party is modifying, removing, or adding packets so that the user or web server receives different information than intended.

Content injection is often practiced by “edge ISPs.” These are service providers operating a user’s local network. Think Wi-Fi hot spots at coffee shops, hotels, airports, and on airplanes. If you’ve ever been on a network like that and seen an out-of-place ad, then you have experienced content injection.

Usually, these ISPs are just injecting ads into sites to make money. That may not sound so bad, but it allows them to profit at your users’ expense. Many users, especially ones new to your site, may not even realize that you aren’t the one showing them those pesky ads. Keep in mind, as innocuous as this practice may seem, at the end of the day it’s affecting the integrity of your website.

ISPs have also been found silently injecting “super cookies” which track users across websites, and even across multiple networks, so that they can develop ad profiles and collect metrics without the user’s clear consent.

Third-Party Content Injection
An example of unwanted content injection. Here, an AT&T Hotspot is injecting two ads onto every website the user visits. The user likely associates this annoying behavior to the website itself, and not the hotspot network. (Source: Webpolicy.org)

Malicious attackers also love to use content injection. A determined attacker that can gain access to some leg of an HTTP connection can easily execute a content injection attack. By performing “packet inspection” – a fancy way to say looking at the data being transferred – an attacker can add their own malicious data into the connection. For instance, they could easily create a new packet containing malware and tell the user’s browser it originated from the server. And that’s just one of a number of nasty things an attacker could do.

Here’s a famous example of third-party content injection: in a particularly complex attack known as the Great Cannon, China’s government was found to be using content injection to crash Github’s website. In China, the government controls Internet access, which allows them to be a third-party to all Internet traffic. In the Great Cannon attack, China’s network would use content injection to send a Javascript file to users, disguised as another file belonging to the website they were accessing. When executed the Javascript file would attempt connections to Github. By distributing this file to thousands of users they strained Github’s network. In this case, third-party content injection was used as a weapon, turning everyday users into attackers without them even knowing.

How SSL Prevents Third-Party Content Injection

When a user connects to a website using SSL, a secure HTTPS connection is established. This secure connection encrypts all the data exchanged between the user and that website’s server. When the data arrives at either end of the connections, it’s decrypted and read. But while traveling across the internet, the data is almost impossible to intercept or manipulate.

This stops content injection attacks in two ways. First, most content injection methods require the attacker to “listen” to the connection—meaning they are reading the data as it’s sent. If that data is encrypted, no third-party can read it. This means the attacker has no idea where or when it should be injecting its forged data.

If the attacker decided it wanted to attempt the attack blindly, it would still fail. The SSL connection inspects all data it receives for authenticity, using the same mathematical processes it uses for encryption. This allows the user’s browser to know if any data was forged by a third party and reject it, silently defeating the attack.

A Secure Connection is a Good Connection (or: A Safe User is a Happy User)

Third-Party Content Injection is, obviously, bad, but think about what is really happening: a third-party can, and is, interfering with your user’s connection. Once a third-party has that type of access they can do anything they want, including placing ugly ads on your site, stealing login cookies so they can impersonate your users, or even secretly sending them malware. That’s a risk you can’t afford to be taking.

HTTPS connections using SSL maintain data “integrity.” That means your website looks the same and sends the same data to all your users. It also means no one else can read that data or modify that data.

You’ve probably spent hours perfecting your website. Maybe you even got into a passionate discussion about whether the buttons should have square corners or rounded corners. The last thing you want is your entire user experience being ruined by an ugly ad or dangerous malware.

By using SSL you give your users a bundle of security benefits. Not only is their connection encrypted, preventing any unwanted parties snooping or stealing their data, they also have ensured data integrity, which means no content injection. Best of all, this all happens automatically and in the background, meaning your users are free to enjoy the experience you intended them to have on your website.