Analysis of the Alexa top 1000 websites has revealed a troubling lack of security controls required to prevent data theft and loss through client-side attacks.
According to research from Tala Security, techniques such as Magecart attacks, formjacking, cross-site scripting and credit card skimming are exploiting vulnerable JavaScript integrations running on 99% of the world’s top websites, and security effectiveness against JavaScript vulnerabilities is declining.
The research determined the average website includes content from 32 third-party JavaScript vendors, and 58% of the content that displays on customer browsers is delivered by third-party JavaScript integrations.
“The fundamental issue with the way today’s websites are secured is that user data is greatly exposed to third-party applications and services and that data leakage is occurring even from trusted third-party resources,” said Aanand Krishnan, founder and CEO of Tala Security. “It’s imperative that organizations keep security top of mind and pay much closer attention to what has become a pervasive attack vector.”
Whilst 30% of the websites analyzed had implemented security policies, only 1.1% were found to have effective security in place.
Jonathan Knudsen, senior security strategist at Synopsys, said the compnay’s own research showed the average commercial application has well over 400 third-party open source components. He explained: “While the research conducted by Tala Security might identify 32 independent vendors, when looking at any software supply chain, it’s important to look not only at the known vendors, but also at the usage of open source software in the final product or service. After all, it’s impossible to patch something you don’t know is there.”
He also claimed it is “hardly surprising that the research found that the average website has content from 32 third-party vendors” as modern software is more assembled than it is written, with useful chunks of functionality often coming from open source, third-party software components and interactions happening via APIs with multiple other systems.
“There is nothing inherently wrong with using third-party software components, the JavaScript language, or the web ecosystem,” he argued. “Just as with anything else, risk must be managed and minimized during the construction and deployment of websites.”
Keith Geraghty, solutions architect at Edgescan, said that Javascript is not the issue here, as it has “revolutionized the user experience on the web.
“When we refer to vendors, we are usually referring to talented programmers who have developed tools and solutions that, along with HTML and CSS, make up the backbone of the web,” he said. “Like with all plugins and solutions, organizations need to ensure that what they use is safe, up-to-date and falling under the same controls as their traditional patch management strategy.”
Craig Young, senior security researcher at Tripwire, said: “The situation with loading so many JavaScript libraries from so many different domains greatly amplifies the risk subdomain hijacking attacks pose to the internet at large. The problem is that each third-party domain supplying unauthenticated JavaScript presents an opportunity for a server compromise to serve malicious content to unsuspecting users unless the site operator has taken specific security precautions.”