Client-Side XSS Vulnerabilities Growing Fast
The COVID-19 pandemic has been a boon to online retailers, as well as cybercriminals, according to a recent report from Tala Security. The report reveals that U.S. retailers’ online year-over-year revenue growth was up 68%, with a 148% growth in all online retail orders. While that might be good news for e-commerce, the bad news is that e-commerce sites are potentially exposing customers to attack, making it that much easier for cybercriminals to steal customer information.
The report also reveals that data theft is on the rise and cybercriminals now have unprecedented access to customer data, thanks to targeted attacks on e-commerce shopping carts using injected JavaScript code to skim online payment information.
“Those so-called Magecart attacks are on the rise, and few e-commerce sites are taking the necessary steps quickly enough to mitigate the problems.” said Aanand Krishnan, founder and CEO, Tala Security. “Our research shows that only 1.1% of the e-commerce sites we analyzed had effective security in place.”
Magecart is a consortium of cybercriminal groups who attack online shopping carts to steal customer payment card data. The type of attack used is referred to as a supply chain attack, where attackers aim to compromise third-party software used by an e-commerce site.
However, Magecart may well be the sign of a much bigger problem, one that can be classified as code-injection attacks. The problem is further exacerbated by the fact that most e-commerce sites use third-party software, presenting a potential attack vector.
Tala’s report further accentuates the problem and revealed that input forms, found on 92% of websites, expose data to an average of 17 domains. That data may include credentials, card transactions and medical records. The company claims that nearly one-third of websites studied expose data to more than 20 domains.
“Today, the browser has become part of the problem. In the past, all of the processing happened on the server side; now cybercriminals can steal data right from the browser,” added Krishnan. “Third parties are able to access data from the browser, since the browser is beyond the control of traditional IT.”
The threat seems to come from the way a browser executes JavaScript. When a user accesses a website, the browser is executing JavaScript, some of which may be coming from third parties which may have been compromised. In other words, an attacker may insert some malicious code into that third-party application, which then runs in the user’s browser. That code could be hidden in a banner advertisement, for instance, or some other element that runs within the browser.
“Today, users store a lot of personal information within their browsers; they may have credit card information memorized, passwords saved, or other personal information, which could potentially be exposed,” warned Krishnan.
While some may look at Magecart as just another example of a cross-site scripting (XSS) attack. The fact of the matter is that XSS attacks are usually targeted at the user and not the web page operator, leaving some website operators to believe that it is the user’s problem and not theirs. But if an issue impacts a user, it is also the website operator’s problem, and may create compliance issues or other problems.
With that in mind, website operators should be keenly aware of what third party apps are used on their sites. They should regularly scan their sites for vulnerabilities and be keenly aware of the digital supply chain in use.
