![]() ![]() But, I wanted to lay out some facts about what is possible by including code like this on a website. Is this happening? That's not up for me to decide. ![]() But, it could also be the case that in 0.1% of the time this code serves up functionality for espionage. It could very well be the case that in 99.9% of the time the TikTok marketing pixel JavaScript embed acts just as expected: it tracks visitors online habits for marketing/advertising purposes. ![]() Is this code malicious? The US and other world governments seem to think so. Getting back to TikTok, CSP and SRI won't help, because companies are intentionally injecting this code into their websites. CSP and SRI together prevent a modified resource from loading in the browser, and prevent the code from communicating with unknown parties. The defense against MageCart-style attacks is to use a Content Security Policy (CSP) and Sub-Resource Integrity (SRI) hashes to secure this code. Data that can be stolen is anything entered into the site: usernames, passwords, credit cards, etc. Threat actors like #MageCart have for many years now breached third-party JavaScript like this to steal data from the visitors of the website loading the malicious JavaScript. Visiting TikTok's "Getting Started" page shows the marketing pixel code that is embedded in a website, which is indeed a blob of JavaScript with third-party included assets. It's important to understand that "marketing pixels" are often in reality a blob of JavaScript code that executes on the target website. I've seen some threads commenting that the #TikTok marketing pixel can't be used to steal data. ![]()
0 Comments
Leave a Reply. |