A report released by Tala Security shows 99% of Alexa top 1,000 websites were vulnerable to client-side JavaScript exploits such as Magecart, form jacking, cross-site scripting (XSS), and credit card skimming. The “The Global Data at Risk – 2020 State of the Web Report” also shows that website security effectiveness against client-side JavaScript vulnerabilities has fallen within the last 18 months. Some of the data leakages were happening without the knowledge of the website owners. Culprits included trusted and whitelisted legitimate applications such as Google Analytics.
Key findings of the Tala website security report
Every JavaScript code from the website supply chain could leak information when adequate website security measures were not put in place.
The report found that most of the global brands fail to implement adequate website security controls to protect their websites against vulnerability to client-side JavaScript code.
The report also found that the website security risk associated with JavaScript has risen in 2020. Currently, a single website includes content from about 32 JavaScript vendors.
Over half (58%) of the content displayed by Alexa 1000 websites render through third-party JavaScript integrations. Almost all connections (98%) associated with the JavaScript code take place outside the website security controls. This situation opens up the client-side attack vector for modern JavaScript exploits.
The report found that 92% of websites expose data to an average of 17 third-party domains. This data includes sensitive personal identification (PII), financial, and medical information. Users expect such information to be accessible to only the website owner. Consequently, the client-side JavaScript code exposes the data to more domains than intended by up to ten times. Still, more than a third of the websites analyzed exposed the data to more than 20 domains.
Despite attacks such as Magecart being more prominent on most websites, Cross-Site Scripting (XSS) attacks are more widespread. Tala found that 97% of sites were running JavaScript code that could be used to execute DOM XSS attacks. The report also said that although XSS website security controls exist, website operators hardly apply them.
The same report found that over 99% of sites are vulnerable to website security risks associated with trusted vendors code such as Google Analytics despite such scripts being vulnerable to exfiltration data in violation of GDPR and CCPA regulations.
Despite the shortcomings, 30% of websites applied various website security measures, which was a 10% increase from the past year. However, only 1.1% of the analyzed sites applied effective website security measures. Additionally, this was a decline of 11% compared to 2019.
The adoption of ineffective website security measures could give domain owners a false sense of security. This situation could encourage them to collect more sensitive information believing their sites were secured. The result would be more sensitive information leaking to third-parties.
Aanand Krishnan, Founder, and CEO of Tala Security said that a modern-day website generates massive volumes of high-value data, and therefore, failing to guard the client-side JavaScript was a major disappointment.
Mitigating client-side data security threats
Leveraging browser-based website security controls would help reduce the risk of data leakage from websites. Website owners should adopt methods such as Content Security Policies (CSP) as well as Subresource Integrity (SRI) to create a future-proof solution to website security without sacrificing the user experience. Owners should also monitor data leakages from their websites and take corrective actions to protect their user data. According to Krishnan, user data is greatly exposed to various threats, and organizations should pay closer attention to the pervasive attack vector occasioned by trusted third-party resources.