What happens when a web service dies?
Equifax had used a service called Fireclick, referencing the domain netflame.cc
Fireclick was shut down in 2015, domain expired
2017: Fireclick domain delivers fake Flash installer malware
Idea: Scan web pages, check if domains from src references resolve
Yahoo Web Analytics was discontinued in 2012
Flickr still included their code in June 2017
Impact: Mostly harmless, domain still belongs to Yahoo
Nonexisting Azure subdomain
Code included by dozens of web pages, mostly local US newspapers
Vast majority on two IP addresses by same company, contacted their abuse department
No answer, but code was removed within days
Biggest user of that script: Saline Courier
Tried to contact them via mail, no answer, code remained
We could not just look for abandoned domains, but domains that may be abandoned in the future
How long will they keep their domain? And who will get it afterwards?
In the Equifax case they included code that apparently nobody was using for years and nobody was
aware of. This is utterly irresponsible.
Ask yourself who's allowed to execute code on your webpage. Make sure you know and trust them.
If you include code from a service that no longer exists it's quite obvious you don't know
what code is running on your webpage.
Thirdparty Javascript Takeaways
- Know your thirdparty code
- Avoid thirdparty code if possible
- Remove unused or obsolete thirdpary code
