99% of website JavaScript plugins are at risk of attack

A web security report released today by Tala Security shows that the global web security situation has deteriorated sharply, with 99% of website JavaScript plugins at risk of attack. The report, which tracks the security posture of Alexa’s top 1,000 websites, found that, on average, each website contained JavaScript programs from 32 different third parties, a slight increase from 2019. And third-party programs like Google Analytics and other plugins can expose websites to Magecart, formjacking, cross-site scripting, credit card hijacking, and other attacks.

This type of attack leverages vulnerable JavaScript components that run on about 99 percent of the world’s websites. While 30% of websites implemented new security policies, a 10% increase from 2019, only 1.1% had effective security measures, an 11% drop from 2019.

“This shows that while the deployment of website security measures has increased, efficiency has dropped dramatically,” said Aanand Krishnan, founder and CEO of Tala Security. “Attackers have the upper hand, mainly because we are not playing an effective defense. “

The report states that without effective policy controls, every piece of code running on most websites could potentially modify, steal or leak information through client-side attacks executed by JavaScript. These attacks are significant for hackers because once they attack a third-party tool, they can exploit it on any other website where the tool is deployed.

The report found that data risks are everywhere, and few sites have controls in place that actually work. “In many cases, these data leaks were carried out through legitimate apps that were whitelisted without the website owner’s knowledge.”

Of great concern: despite the rising number of high-profile breaches, form scripts used to fulfill orders on 92% of websites still exposed data to an average of 17 domains.

“As a result, the data is exposed not only on the main website, hosting website or payment platform, but also on an average of 15 other domains, which greatly exposes the risk,” the report states. “We have seen hackers change the code and even shut down The case for the entire site.”

Hank Schless, senior manager of security solutions at Lookout, pointed out that data shows that opening up a company’s platform to third parties creates more risks, especially in terms of exposure to GDPR and CCPA.

“Privacy is a major concern these days, and security teams need to properly assess the security posture of any third-party integrators before allowing them to access customer data,” Schless noted.

Thomas Hatch, co-founder and CTO of SaltStack, said he is concerned by reports of a decline in effective web security management.

“Such a sharp decline is indicative of a fundamental problem with the management of cybersecurity for websites today,” Hatch said. “These types of attacks and breaches are not new, but they are more common than ever. If we are to overcome these problems, we There needs to be a rethinking of how applications are deployed, how they are secured, how they are managed securely, and how to support the multitude of open source projects used to build modern Web sites.”

The Links:   LQ9D023 CLAA150XP01Q-V2

Imagination and Zhejiang University School of Information and Electronic Engineering Announce Partnership Google’s latest verification system has been “cracked” again, this time with reinforcement learning