99% of top websites vulnerable to Magecart & formjacking attacks

As many as 99% of the world’s top websites do not have adequate security controls to defend against Magecart, formjacking, cross-site scripting, and credit card skimming attacks that exploit vulnerable JavaScript integrations to capture customer records.

According to Tala Security's Global Data at Risk – 2020 State of the Web Report, the fact than an overwhelming majority of the world's most visited websites are still vulnerable to common client-side attacks indicates that a slew of high-profile attacks on global brands and record-breaking fines for GDPR breaches have had little impact on client-side security and data protection deployments.

In fact, the study found that security effectiveness against JavaScript vulnerabilities actually declined in 2020 when compared with a similar study conducted last year. These findings are not surprising as according to security firm Gemini Advisory, the Keeper Magecart group successfully exfiltrated data from as many as 570 e-commerce domains across 55 countries since April using credit card-skimming malware.

"Without controls, every piece of code running on websites – from every vendor included in the site owner’s website supply chain – can modify, steal, or leak information via client-side attacks enabled by JavaScript. In many cases, this data leakage is taking place via whitelisted, legitimate applications, without the website owner’s knowledge," said Tala Security in a blog post.

98% of top websites have unsupervised third-party JavaScript integrations

An analysis of the Alexa top 1,000 websites by the firm revealed that as much as 58% of the content displaying on customers' browsers are delivered by third-party JavaScript integrations and in 98% of these websites, such website supply chains leverage client-side connections that operate outside the span of effective control.

The most alarming finding of the study was that forms in 92% of the websites leaked PII, credentials, card transactions, and medical records to an average of 17 domains, indicating that unlike what Internet users believe, data entered in website forms are not restricted to the website itself or to the payment clearing house, but can also be accessed by over a dozen other domains.

Due to the absence of security controls in websites, Magecart hackers are able to exploit uncontrolled and unsupervised JavaScript integrations to steal data from websites. Hackers are also able to carry out Cross-Site Scripting (XSS) attacks as 97% of websites are using dangerous JavaScript functions that could serve as injection points to initiate a DOM XSS attack.

“JavaScript powers today’s rich, highly customized web experience and enables digital transformation across all industry sectors. The fact that it remains largely unguarded is both surprising and disappointing,” said Aanand Krishnan, founder, and CEO of Tala Security.

“Websites generate massive volumes of high-value data, making them a primary target for attackers. The fundamental issue with the way today’s websites are secured is that user data is greatly exposed to third-party applications and services and that data leakage is occurring even from trusted third-party resources. It’s imperative that organizations keep security top-of-mind and pay much closer attention to what has become a pervasive attack vector.”

CISOs must engage directly with dev teams to identify and secure client-side applications

Commenting on Tala Security's findings, Tim Mackey, principal security strategist at Synopsys CyRC, says that unlike the websites of only a few years ago, modern websites are powered by browser-side scripts accessing data from server-based APIs, including those of third parties.

"If the security team isn’t keeping up with the development practices of their web teams, they could easily miss when their teams moved from server-side page layout to client-side rendering. Such a miss represents an opportunity for attackers who’ve developed tool kits targeting websites using these client-side development paradigms, and who have successfully used their tool kits against major brands.

"Addressing weaknesses in development paradigms like client-side applications requires CISOs to engage directly with development teams to understand when shifts in technology selection occur. Since a shift in platform, like adopting client-side development practices, likely won’t result in any procurement activity, it could easily be overlooked if a business triggers security reviews based on vendor selection.

"Once client-side applications are identified, the next step is to conduct a review of how browser security standards are being used and what scripts are expected to be used on each web page. Armed with this client-side software bill of materials, processes can then be created to ensure security updates are performed on the scripts, reviews of any data sent by scripts can be performed, with an eye towards monitoring when changes in scripts are expected.

This latter element is critical as client-side web applications rely heavily upon third-party APIs which will update out of band from their clients – a process that could render the application unstable if not carefully monitored. As with the usage of any third-party code, awareness is key to compliance," he adds.

MORE ABOUT: