Tala Security has released its Global Data at Risk - 2020 State of the Web Report. The study, which analyzed the security posture of the Alexa top 1000 websites, reveals a troubling lack of security controls required to prevent data theft and loss through client-side attacks like Magecart, formjacking, cross-site scripting, and credit card skimming.  These attacks exploit vulnerable JavaScript integrations running on 99 percent of the world’s top websites.

Benchmarked against a similar study in 2019, this year’s report indicates that security effectiveness against JavaScript vulnerabilities is declining, despite high-profile attacks and repeated industry warnings over the past 18 months, including the largest GDPR fine to date.1

Without controls, every piece of code running on websites – from every vendor included in the site owner’s website supply chain – can modify, steal or leak information via client-side attacks enabled by JavaScript.  In many cases, this data leakage is taking place via whitelisted, legitimate applications, without the website owner’s knowledge.  What this report indicates is that data risk is everywhere and effective controls are rarely applied. 

Key findings from the Global Data at Risk - 2020 State of the Web Report highlight the scale of vulnerability and that the majority of global brands fail to deploy adequate security controls to guard against client-side attacks:

  • JavaScript risk has increased in 2020. The average website includes content from 32 third-party JavaScript vendors, up slightly from 2019. JavaScript powers richness but also the framework of what renders on customer browsers, including images, style sheets, fonts, media and content from 1st party source- the site owner.  
     
  • 58 percent of the content that displays on customer browsers is delivered by third-party JavaScript integrations identified above.  This website supply chain leverages client-side connections that operate outside the span of effective control in 98 percent of sampled websites.  The client side is a primary attack vector for website attacks today. 
     
  • Despite increasing numbers of high-profile breaches, forms found on 92 percent of websites expose data to an average of 17 domains. This is PII, credentials, card transactions, and medical records. While most users would reasonably expect this data to be accessible to the website owner’s servers and perhaps a payment clearing house, Tala’s analysis shows that this data is exposed to nearly 10X more domains than intended. Nearly one third of websites studied expose data to more than 20 domains. This provides some insight into how and why attacks like Magecart, formjacking and card skimming continue largely unabated.
     
  • While other client-side attacks such as Magecart capture most of the headlines, no attack is more widespread than Cross-Site Scripting (XSS).  This study found that 97 percent of websites are using dangerous JavaScript functions that could serve as injection points to initiate a DOM XSS attack. Standards-based security controls exist that can prevent these attacks.  They are infrequently applied.

Unfortunately, despite high-profile risks and the availability of controls, there has been no significant increase in the adoption of security capable of preventing client-side attacks:

  • Over 99 percent of websites are at risk from trusted, whitelisted domains like Google Analytics.  These can be leveraged to exfiltrate data, underscoring the need for continuous PII leakage monitoring and prevention. This has significant implications for data privacy, and by extension, GDPR and CCPA. 
  • 30 percent of the websites analyzed had implemented security policies - an encouraging 10 percent increase over 2019.  However...
  • Only 1.1 percent of websites were found to have effective security in place - an 11 percent decline from 2019.  It indicates that while deployment volume went up, effectiveness declined more steeply. The attackers have the upper hand largely because we are not playing effective defense.

“JavaScript powers today's rich, highly customized web experience and enables digital transformation across all industry sectors. The fact that it remains largely unguarded is both surprising and disappointing,” said Aanand Krishnan, Founder and CEO of Tala Security.  “Websites generate massive volumes of high-value data, making them a primary target for attackers. The fundamental issue with the way today’s websites are secured is that user data is greatly exposed to third-party applications and services and that data leakage is occurring even from trusted third-party resources. It’s imperative that organizations keep security top-of-mind and pay much closer attention to what has become a pervasive attack vector.”

Download the Global Data at Risk - 2020 State of the Web Report here.