Sensitive data, like personally identifiable information (PII) and credit card information, has never been more at risk, while security is becoming less effective, new research shows.
The vast majority of global brands fail to implement controls to prevent data leaks and theft, according to a report from Tala Security. The firm conducted an aggregate study of the Alexa 1000 to define statistically relevant insights that indicate mass vulnerability to client-side website attacks, like cross-site scripting (XSS), Magecart, formjacking, user data leakage, content integrity attacks, ad injections and session redirects.
With the global pandemic placing the web center stage, banking, retail and other industries have seen immense spikes in web traffic – a trend experts say will become permanent. Cyber attackers themselves have ramped up efforts to exploit the crisis. But despite countless precedents and record-breaking fines under data-protection legislation (i.e. GDPR), breaches continue to occur as businesses fail to deploy or correctly implement data protection.
Client side a primary attack vector for website attacks
The Tala
report reveals a troubling lack of security controls to prevent data theft and loss through client-side attacks like Magecart, formjacking, cross-site scripting and credit card skimming. All these attack vectors have one thing in common: vulnerable JavaScript integrations. And they run on 99% of the world’s top websites. Benchmarked against last year’s study, this year’s report indicates that security against JavaScript vulnerabilities is becoming less effective.
“Without controls, every piece of code running on websites – from every vendor included in the site owner’s website supply chain – can modify, steal or leak information via client-side attacks enabled by JavaScript,” the researchers said. “In many cases, this data leakage is taking place via whitelisted, legitimate applications, without the website owner’s knowledge.”
In another key finding, forms found on 92% of high-profile websites expose data to an average of 17 domains.
“This is PII, credentials, card transactions, and medical records,” the researchers said. “While most users would reasonably expect this data to be accessible to the website owner’s servers and perhaps a payment clearing house, Tala’s analysis shows that this data is exposed to nearly 10X more domains than intended. Nearly one third of websites studied expose data to more than 20 domains. This provides some insight into how and why attacks like Magecart, formjacking and card skimming continue largely unabated.”
97% of websites are using dangerous JavaScript functions that could serve as injection points to initiate a DOM XSS attack, the study also found. While businesses have standards-based security controls to prevent such attacks, they are rarely applied, according to the data.
