92% of the world’s top websites expose customer data to Magecart

Tala’s Global Data at Risk: 2020 State of the Web Report indicates that sensitive data like PII and credit card information has never been more at risk – and security effectiveness is declining.

The global pandemic has seen the web take center stage. Banking, retail, lifestyle and healthcare are just some of the sectors that have seen large spikes in traffic, a trend that’s expected to become permanent.

But how well equipped are the world’s top websites to defend against the accompanying surge in client-side attacks? New research by Tala indicates a troubling lack of the security controls needed to mitigate the risk of data leakage.

Key findings from the Global Data at Risk: 2020 State of the Web Report are cause for concern:

  • JavaScript risk has increased in 2020. The average website includes content from 32 third-party JavaScript vendors. JavaScript powers the modern web and provides the framework for what renders on customer browsers, including images, style sheets, fonts, media and content from 1st party source- the site owner.
  • 58% of the content that displays on customer browsers is delivered by third-party JavaScript integrations identified above. This website supply chain leverages client-side connections that operate outside the span of effective control in 98% of sampled websites.
  • While other client-side attacks such as Magecart capture most of the headlines, no attack is more widespread than Cross-Site Scripting (XSS). This study found that 97% of websites are using dangerous JavaScript functions that could serve as injection points to initiate a DOM XSS attack.

Unintentional data exposure is increasing

In real terms, significant volumes of sensitive data are at risk from both theft and data leakage – and effective controls are rarely applied. For example, our analysis indicates that form data exposure is growing, despite multiple high-profile breaches:

  • Form Data, found on 92% of websites, expose data to an average of 17 domains – 10X more than intended.

To the casual observer, the phrase ‘form data’ might not sound too serious but this is PII, credentials, card transactions, medical records…the kind of data you’d reasonably expect to be accessible to a website owner’s servers, and perhaps a payment clearing house – not unintentionally to multiple third-party integrations. Finding a number nearly 10x greater is shocking. This seeming lack of awareness provides some insight into how and why attacks like Magecart, formjacking and card skimming continue largely unabated.

Without controls, every piece of code running on websites – from every vendor included in the site owner’s website supply chain – can modify, steal or leak information via client-side attacks enabled by JavaScript. In many cases, this data leakage is taking place via whitelisted, legitimate applications, without the website owner’s knowledge. Over 99% of websites are at risk from trusted, whitelisted domains like Google Analytics. These can be leveraged to exfiltrate data, with significant implications for data privacy and, by extension, GDPR and CCPA.

Standards-based security controls can prevent client-side attacks, but our research shows that they’re not widely deployed: just 30% of the Alexa top 1000 websites had implemented security policies and, of these, only 1.1% were found to have effective security in place, an 11% decline from 2019.

Where do we go from here?

Tala Security protects hundreds of millions of browser sessions every month from critical and growing threats, such as data leakage, cross-site scripting (XSS), Magecart, website supply-chain attacks, clickjacking and others. It does this by automating the deployment and dynamic adjustment of browser-native, standards-based security controls such as Content Security Policy (CSP), Subresource Integrity (SRI), HTTP Strict Transport Security (HSTS) and other web security standards.

The activation of browser-native security controls provides comprehensive security without requiring any changes to the application code and almost no impact to website performance. Tala serves large website operators in verticals such as financial services, online retail, payment processing, hi-tech, fintech and education.

To understand your risk exposure to Data Leakage including Magecart and other client-side vulnerabilities request a free comprehensive website risk assessment or demo today to gain thorough insight into how these threats impact your website and web applications today.

Download your copy of Global Data at Risk – 2020 State of the Web Report today!




*** This is a Security Bloggers Network syndicated blog from Tala Blog authored by Aanand Krishnan, CEO and Founder of Tala Security. Read the original post at: