How to protect customer data from Magecart, Formjacking and XSS

It’s one thing to deliberately share user geolocation data without consent, but what if you’re inadvertently giving it away? Tala CEO Aanand Krishnan says there’s a lot more to 3rd party attacks than ‘just’ skimming.

The Federal Communications Commission is proposing over $200m in fines for wireless carriers who knowingly shared, sold or otherwise mishandled their customers’ location data. Following significant press investigations and reports, public awareness of the risks associated with this kind of breach is growing and we’re now seeing calls from privacy advocates to strengthen legislation, add teeth to existing privacy regulations and even hold CEOs personally responsible for making promises they can’t keep on customer privacy.

One big New York Times investigation referred to “Twelve Million Phones, One Dataset, Zero Privacy” but many businesses may be unaware that their websites are similarly hackable. Tala has written extensively about the third-party JavaScript supply-chain problem on the web. In particular, the uncontrolled growth in third-parties can lead to loss of sensitive customer data – credentials, credit card information etc. We have seen hundreds of websites fall victim to these hacks.

The datasets are typically stolen by means of a ‘skimming’ attack where a malicious JavaScript captures a copy of user entry into a web form. But that’s not the whole story: there are many ways hackers can exploit JS to access sensitive data – and many types of data they can steal, including geolocation.


Not Just Skimming

Besides skimming, there are other means by which JavaScript can access sensitive user data. HTML5 provides APIs that allow scripts to access the geolocation of a mobile or PC user. For example, JavaScript function can leverage the getcurrentPosition( ) method to obtain the user’s geolocation coordinates.



If a website wants to access your geolocation, the browser will prompt the user with a pop-up question.

There are two issues with the pop-up. First, this pop-up only shows up the first time the website is trying to access geolocation. If the user clicks ‘Allow Once’, that preference is recorded and the website can now access geolocation data any time in the future.



Secondly, if the user clicks ‘Allow’, it provides the entire website with permission to access the user’s geolocation. So in this case, if the user clicks on the ‘Allow’ button, scripts loaded from the primary domain (in this example it would be scripts loaded from as well as scripts loaded on the site from any other third-party domain, can access the user’s location information. In essence, malicious or adware scripts can now use a website’s permission levels to access sensitive user geolocation data.


What Can Website Owners Do?

The good news is that modern web browsers (PC and mobile) provide fine-grained security controls to monitor and block unauthorized access by third-party scripts.

In particular, a new and upcoming feature within browsers called feature-policy allows website owners to specify which domains can access sensitive user information and resources. For example, feature-policy allows a website to block a third-party script from accessing the user’s microphone or camera.

Feature-policy also provides websites with the ability to control access to user geolocation data. Using the feature-policy geolocation directive, a website can control which domains can access location information, including cross-domain iFrames.

For example, with the following policy, the website will only allow its own domain to access the location information. Any other domains trying to access the geolocation information will return an error.

Feature-Policy: geolocation ‘self’

If the website wants to allow a second domain, let’s call it, to access the location information, it can do so using the following policy:

Feature-Policy: geolocation ‘self’



With new privacy laws in place, website owners should prioritize restricting access to sensitive user data so that their websites don’t become conduits for data breaches or privacy violations. Browser-native controls like Content Security Policy (CSP), Subresource Integrity (SRI) and Feature-Policy are freely available for websites to enforce the right security and privacy policies.

To find out more about the risks specific to your organization, Tala can provide a Website Risk Analysis that will highlight client-side vulnerabilities on your web properties. Tala advocates both understanding risk and enabling standards-based, browser-native controls. We help organizations deploy and dynamically tune these capabilities to ensure continuous client-side security with zero impact on performance. FInd out more or request a demo at



*** This is a Security Bloggers Network syndicated blog from Tala Blog authored by Aanand Krishnan, CEO and Founder of Tala Security. Read the original post at: