home Apps, Cyber Security, Internet State of the Web Report Finds 98 Percent of U.S. Alexa 1000 Websites Are Inadequately Secured Against Magecart and Other Advanced Attacks

State of the Web Report Finds 98 Percent of U.S. Alexa 1000 Websites Are Inadequately Secured Against Magecart and Other Advanced Attacks


Tala Security, the provider of security solutions protecting enterprise websites and web applications against advanced client-side attacks like Magecart, today announced the Tala 2019 State of the Web Report. The report, which tested U.S. websites within the Alexa 1000 ranking, educates enterprises about the critical and under-recognized security threats related to their web assets and the third party vendors that support them.

Today, the primary connection point between companies and their customers is the corporate website, which, in addition to acting as an educational resource, is also a key driver of corporate revenue for most businesses. Most websites are loaded with client-heavy JavaScript applications that execute web code to enrich the customer experience, provide compelling content and images and assist in engagement. The Tala 2019 State of the Web Report highlights that this architecture, in an effort to make sites more attractive and useful, introduces significant vulnerabilities that enable client-side website attacks – such as Magecart – to impact customer browsing sessions and can lead to theft of sensitive user personally identifiable information (PII) and financial data.

In August, the PCI Security Standards Council (PCI SSC) and the Retail and Hospitality ISAC issued a joint bulletin to address the growing threat of online skimming to payment security. The vulnerabilities specifically leveraged to launch these accelerating attacks are the main focus of this data analysis. Raising awareness of the critical website security flaws identified in the report are its main goal. “These attack techniques are of increasing significance to the retail and hospitality industry…It is important that businesses grow in their awareness of the nature of these attacks and of the security controls necessary to detect and defeat them,” stated Carlos Kizzee, Vice President, Intelligence, Retail and Hospitality ISAC. “We must endeavor to ensure that focused attention, commitment and peer collaboration in e-commerce cybersecurity efforts within the retail and hospitality industry outpaces the growth and evolution of threats such as these.”

Key findings from the Tala 2019 State of the Web Report highlight that the majority of global brands fail to deploy adequate security to guard against client-side attacks, including:

  •     The average website relies on 31 third-parties. Nearly two-thirds (~63 percent) of the externally loaded JavaScript code executed in the browser is either written by and/or managed by third-parties.
  •     98 percent of websites use forms to collect PII and financial data from the user. This form data is defined by the website owner’s code architecture to be purposefully sent to an average of 1.6 domains. However, in reality, due to the reliance on third-party integrations, form data is exposed to an average of 15.7 third-party domains. In other words, user form data is exposed to an order of magnitude more domains than intended by the website owner.
  •     87 percent of websites were found to include innerHTML, which allows JavaScript code to manipulate a website being displayed. InnerHTML is a common injection point attackers leverage to launch Cross-Site Scripting (XSS) attacks.
  •     Dynamic JavaScript code was found to exist in more than 60 percent of websites. This code is not loaded statically, but is instead loaded via a static JavaScript command. This kind of “piggybacking” creates a more expansive attack surface for hackers to exploit.
  •     Only 27 percent of websites were found to deploy standard-based security such as content security policies (CSP) capable of guarding against vulnerabilities introduced by the significant reliance on JavaScript or to limit unauthorized access and distribution of form data.
  •     94 percent of website operators that deploy CSP have implemented a set of policies that are not capable of guarding against client-side attacks. CSP and other standards-based security implementations exist but deploying these at scale requires substantial administration and has been proven challenging.

“The number one enemy of enterprise website security is lack of awareness about what’s ‘under the hood’ from an integration and architecture standpoint. This is basically a website’s ‘supply chain’,” said Aanand Krishnan, Founder & CEO of Tala Security. “The fundamental issue with the way today’s websites are secured is that user data is greatly exposed to third-party applications and services that have not been properly vetted. While Magecart is the most well-known, there are many other attacks that leverage client-side vulnerability. It’s imperative that organizations keep security top-of-mind and expand their perspective on what has become a pervasive attack vector – the organization’s website.”

For each of the Alexa 1000 websites, Tala used its analysis engine, which evaluates 50 unique indicators of a web page’s architecture and integrations to document code, content and data change on the website. The findings represented in the Tala 2019 State of the Web Report are the result of aggregate study of the Alexa 1000 to define statistically relevant insights that indicate mass vulnerability to client-side website attacks such as cross-site scripting (XSS), Magecart, user data leakage, content integrity attacks, ad injections and session redirects. These vulnerabilities are capable of significantly impacting the secure operation of nearly every website included in the study.

Download the Tala 2019 State of the Web Report here: https://go.talasecurity.io/state-of-the-web-report-2019

About Tala Security
Tala Security protects modern websites and web applications from critical and growing threats, such as cross-site scripting (XSS), Magecart, website supply-chain attacks, clickjacking and others. Tala defends against such attacks by automating the deployment and dynamic adjustment of browser-native, standards-based security controls such as Content Security Policy (CSP), Subresource Integrity (SRI), HTTP Strict Transport Security (HSTS) and other web security standards. The activation of browser-native security controls provides comprehensive security without requiring any changes to the application code and with almost no impact to website performance. Tala’s product is powered by an AI-assisted analytics engine that evaluates over 50 unique indicators of a web page’s behavior. The analytics engine provides comprehensive risk analysis and enables Tala to automate the generation, implementation and updating of browser-native security policies. Tala’s product also provides customers with alert analytics and incident management. Tala serves large website operators in verticals such as financial services, online retail, payment processing, hi-tech, fintech and education. Learn more at http://www.talasecurity.io


James Barnley

I’m the editor of the DomainingAfrica. I write about internet and social media, focusing mainly on Domains. As a subscriber to my newsletter, you’ll get a lot of information on Domain Issues, ICANN, new gtld’s, Mobile technology and social media.

Leave a Reply

Your email address will not be published. Required fields are marked *