by Lori Smith on June 27, 2019
5 minute read
Today, Feroot released the 2019 User Security and Privacy Report examining the hidden behaviors of external third- and fourth-party tools on the user-side of websites and web apps. Of the 13 different industries and government agency websites worldwide reviewed, the report found that:
- 92% of major news websites across North America, the UK and Germany use ad trackers that are participating in automatic cross-border data transfers;
- 21 web trackers on average are active on any given website at any time, creating a new and increasing surface area for attack through chatbots, analytics, ad tech tools and others;
- 40 trackers on average were found on major news publication websites, double the average across industries;
- 90% of e-commerce login pages are susceptible to attack and can potentially provide external tools with unrestricted visibility of user passwords.
Google, Facebook and Adobe track as the top three companies receiving and processing user data, in many cases prior to receiving user consent. The top five trackers across all industries range from Google products (Analytics, Tag Manager, DoubleClick), Facebook products (Business, Connect) and Adobe Marketing Cloud.
The report also found that e-commerce websites are at high risk for credentials, sensitive data, and privacy theft, while the news industry is at most risk of data misuse. This is because the news industry has an average of 40 web trackers per website — double the number of trackers than other industries — making their websites more open to externally controlled scripts and tools.
Furthermore, 90% of major news websites have active trackers sending data to foreign countries, in this case to Russia. This can pose information security and compliance problems and open the door for data misuse. For instance, as the Cambridge Analytica case demonstrated, detailed user behavior on millions of Facebook users and their friends was misused by an unauthorized third-party to sway public opinion on important political matters. This shows that when sensitive and personal data is skimmed by unauthorized parties and sent to outside destinations — anything is possible.
Results from news industry:
*Russia cross-border data transfers ranked #12, just after the United Kingdom.
Other risks highlighted in the report include:
High Risk of Credentials Theft - where user account login fields are often in clear view of multiple externally controlled tools and scripts on the majority of websites.
Risk of Privacy Breach - where third-party advertising trackers, tag-management tools, and externally controlled scripts are present on public pages, login fields and forms.
High Risk of Sensitive Data Theft - where credit card payment, username, and password fields are in clear view of multiple externally controlled tools and scripts.
What this means: The challenges faced by most security professionals is the constant growth of the tech stack: third- and fourth-party vendors, web trackers, and homegrown technology tools are always in flux as new tools and trackers are added daily for marketing and sales purposes. The hidden activities of these tools and scripts can expose up to 97% of organizations to the theft of customer data.
This poses ongoing data security and privacy threats because side-loaded code can be modified by third-parties at any time. Even more worrying, server-side security tools don't monitor externally controlled tools and scripts because they are loaded on the user or client side of the web browser. This opens organizations to a new surface attack area, as was the case with recent breaches at Ticketmaster, Feedify, and Quest Diagnostics.
“The rise in regulatory scrutiny and increase of data breaches worldwide demonstrates the need for companies to be more vigilant about the type of data they collect and of the integrity of all parties that have access to user data, ultimately ensuring data is protected from potential theft,” says Ivan Tsarynny, Feroot CEO. “We are alarmed at how often data transfers and data collection by third-party services go undetected. Attack surface area now includes all marketing and customer service third-party services. Security and privacy teams need to track where and by whom data is being stored, processed, and transferred, to prevent recurring and devastating breaches.”
CEO & Co-Founder
To summarize, the report reveals that 97% of websites across industries have on average 21 active web trackers and five (5) cross-border data transfers. Because security server tools do not monitor externally controlled scripts injected on the client side, this opens organizations to a new surface attack area, in particular, the Man-in-the-middle (MITM) attack vector.
So — what can your organization and security department do to prevent a data breach from happening via the hidden activities of third- and fourth-party tools?
Here’s a few recommendations from the report:
- Ensure that only third-party tools with applicable compliance level (i.e. PCI-DSS, HIPAA, etc) are present on pages with payment, health information, and other pages with regulatory obligations.
- Consider strong containment of third- and fourth-party scripts via iFrame sandboxing, Content Security Policy and other hardening techniques.
- Actively monitor the client-side third- and fourth-party controlled scripts access to data on production websites and web apps.
- Don’t limit security and privacy testing to dedicated test and development environments. Instead, continuously monitor and test production environments
Want to learn more and see the results for all 13 industries? Download the report now.
Feroot is a data collection monitoring platform that helps security and privacy engineers monitor issues introduced by the third- and fourth-party tools and scripts such as web trackers, tag managers, chatbots, and analytic tools that are loaded on visitor browsers. The Feroot system gives organizations unprecedented visibility to detect unauthorized and ungoverned data collection and helps prevent security and regulatory vulnerabilities. Sign up here to get a free scan of your website today.