A survey from the web application security provider Tala Security revealed that cybercriminals are exploiting security vulnerabilities in websites to launch client-side attacks like Magecart, cross-site scripting, form-jacking, and credit card skimming. The survey “Global Data at Risk – 2020 State of the Web Report” stated these attacks exploit vulnerable JavaScript integrations that run on 99% of popular websites globally. Only 1.1% of websites were found to have adequate security measures in place, which is a 11% decline from 2019.
After analyzing the security posture of the Alexa top 1000 websites, the survey revealed that website data risk is on the surge, but most of the website owners fail to deploy necessary security precautions to defend against client-side attacks.
“Without controls, every piece of code running on websites – from every vendor included in the site owner’s website supply chain – can modify, steal or leak information via client-side attacks enabled by JavaScript. In many cases, this data leakage is taking place via whitelisted, legitimate applications, without the website owner’s knowledge,” the survey stated.
Other key findings include:
- The average website includes content from 32 third-party JavaScript vendors, up slightly from 2019
- 58% of the content that displays on customer browsers is delivered by third-party JavaScript integrations identified above. This website supply chain leverages client-side connections that operate outside the span of effective control in 98% of sampled websites. The client-side is a primary attack vector for website attacks today
- Despite increasing numbers of high-profile breaches, forms found on 92% of websites expose data to an average of 17 domains. This is PII, credentials, card transactions, and medical records. While most users would reasonably expect this data to be accessible to the website owner’s servers and perhaps a payment clearing house, Tala’s analysis shows that this data is exposed to nearly 10X more domains than intended. Nearly one-third of websites studied expose data to more than 20 domains
- While other client-side attacks such as Magecart capture most of the headlines, no attack is more widespread than Cross-Site Scripting (XSS). This study found that 97% of websites are using dangerous JavaScript functions that could serve as injection points to initiate a DOM XSS attacks
- Over 99% of websites are at risk from trusted, whitelisted domains like Google Analytics. These can be leveraged to exfiltrate data, underscoring the need for continuous PII leakage monitoring and prevention. This has significant implications for data privacy, and by extension, GDPR and CCPA
- 30% of the websites analyzed had implemented security policies – an encouraging 10% increase over 2019
Aanand Krishnan, Founder and CEO of Tala Security, said, “Websites generate massive volumes of high-value data, making them a primary target for attackers. The fundamental issue with the way today’s websites is that user data is greatly exposed to third-party applications and services and that data leakage is occurring even from trusted third-party resources. It’s imperative that organizations keep security top-of-mind and pay much closer attention to what has become a pervasive attack vector.”