Photo by Mike Kononov on Unsplash
In recent cyberattacks, three notable sites—Macy’s, Smith & Wesson and UK retailer Sweaty Betty—were hit with similar Magecart-style attacks to steal shoppers’ personal information. The message is clear: websites and web applications are vulnerable, and existing security deployments are not sufficient to safeguard against client-side attacks.
Why is this happening?
Web developers love these integrations for their dynamism and analytical capacity. Unfortunately, because these integrations are largely unmanaged and unmonitored, they substantially expand the attack surface, introducing significant risk to the business, and its end-users.
Taking a Cue from Google
As they built Gmail and Google Maps, they began to see potential security flaws in these new applications, long before anyone else did. So while they were pioneering these technologies, they began building the controls needed to protect them.
Other companies innovating in this space did a great job of increasing functionality—without bridging the security gap that was opening up. And that’s the gap that cyberattackers like Magecart are looking to exploit.
These are native to all modern browsers and web application frameworks, but a shockingly low number of companies take advantage of this: only 2% of U.S. Alexa 1000 websites are adequately secured against the types of attacks that hit British Airways and Macy’s.
Attacking the Browser
If an attacker can get into the browser, they can unleash several modes of attack: they can compromise the server (which is what happened with British Airways), they can compromise any of those 3rd party applications we’ve just talked about (as well as the dependencies they might have on 4th and 5th parties) or they can compromise the client.
What that means in practical terms is that they can steal data—as end-users enter it on a form (think credit cards, user credentials, healthcare information), via cookies or maybe data stored on local databases. They can also redirect users to a competitor or malicious site, show them competitor or malicious content or hijack their machines to use for crypto-mining.
The point of execution has shifted to the client, in the browser—what you really need is to protect the browser itself against attack. There are plenty of readily available and highly effective security measures (CSP, SRI, Referrer-Policy, and others).
Companies, however, have been slow to adopt them and often lack the resources to put these measures in place. Security teams don’t get the type of budget that marketing teams do, and there’s a significant gap in cybersecurity talent focused on application security.
We Need a New Way of Thinking
Closing those loopholes requires a shift in the way we think about web security. The web has changed so dramatically in the past decade, with people using it in ways we didn’t imagine: think about the growth of the mobile web and the expanding Internet of Things.
Our security approaches haven’t kept up the pace.
Every website can have the same security controls and policies that Google has in place to protect customer information. It’s past time for security practitioners to pay closer attention to the highly targeted point of data origination and begin diligent and immediate deployment of client-side security.