Fixing the Leak: How to prevent JavaScript Eavesdropping - Security Boulevard

Fixing the Leak: How to prevent JavaScript Eavesdropping

We’re not in the information age anymore. We’re in the information management age. – Chris Hardwick

How true that statement is. No longer are we in awe about the vast amount of information available at our fingertips or in our pockets. The Internet, smartphones, and a generation raised with both are revolutionizing how information is gathered and distributed.

Privacy laws such as GDPR, CCPA, and SHIELD attempt to regulate how personal information is managed: notifying users on the intent, breaches, storage, and quantity of information gathered are helping individuals and businesses to manage their online “profile.”

Managing information can be stressful, difficult, or even impossible depending on what services you’re using on your website. This is because as third party services for social media, analytics, conversion tracking, advertisements, or customer support tools are added to your website, the visibility into what information is being skimmed becomes ever cloudier. The Source Defense Security Platform records all actions for JavaScript services running on your website. This allows you to have complete control over information skimming and ultimately helps maintain information privacy compliance.

The platform records “violations” to policies set in place to protect and prevent eSkimming, formjacking, and magecart style attacks. As a result of this prevention method, we can see violations which originate not only from a malicious actor or group, but from seemingly innocent JavaScript. To illustrate this point, let’s take a look at a social media service being used on one of the country’s largest fast-casual takeout restaurants:

Read attempts are blocked at this target:

INPUT:first-of-type

This means our security platform is preventing all skimming of visitor information on any input elements (fields, forms, check boxes, etc..) of this page. Without our security platform running on this website, the information entered at any point on the page would be skimmed by this social media service. This potentially puts the website owner at risk of compliance violations, or worse, magecart attacks.

So, just how prevalent are these eavesdropping activities by JavaScript running on any given website? Let’s take a look at some numbers for context.

Popular Fast-Casual Food Chain – 28 day period (11/23-12/21)
24 violations per pageview. (5.38m pageviews)

Highend Outdoor Performance Gear Company – 28 day period (11/23-12/21)
4.4 violations per pageview. (141k pageviews)

Top Small Kitchen Appliance Company – 28 day period (11/23-12/21)
8.8 violations per pageview. (680k pageviews)

Men’s Lifestyle Clothing and Accessories – 28 day period (11/23-12/21)
14.2 violations per pageview. (1.6M pageviews)

These violations are a mixture of read and write events which indicate beyond their intended function, third party JavaScript is taking advantage of the access provided to it on the page(s) it is running. Without the Source Defense Client-Side Website Security Platform in place, the management of information on these websites would be extremely difficult. Our real-time detection and prevention technology not only prevents malicious attacks, but also prevents sensitive visitor information from being gathered and used outside of your organization. Which means putting your business at risk of privacy violations, lawsuits, or both.

In this day and age of increasing regulations protecting information on the internet, isn’t it time to implement a solution that does just that?

For more information on JavaScript violation statistics and the Source Defense solution, please register for our upcoming webinar.

The post Fixing the Leak: How to prevent JavaScript Eavesdropping appeared first on Source Defence.

*** This is a Security Bloggers Network syndicated blog from Blog – Source Defence authored by Randy Paszek. Read the original post at: https://sourcedefense.com/resources/blog/fixing-the-leak-how-to-prevent-javascript-eavesdropping/