Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/12/2021
10:00 AM
Deepika Gajaria
Deepika Gajaria
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Wake Up and Smell the JavaScript

The SolarWinds attack showed the true meaning of a supply chain breach. And it's the canary in the coal mine for sensitive data on the Web.

Even before the pandemic hit and everyone flocked online, companies were investing significant time and resources in building great online experiences for their users. But all that usability comes with a price tag in terms of risk. Today's websites are essentially a conglomeration of Web-enabled assets, a massive global supply chain that nobody really thinks about in this way. And that's a big data-privacy problem that's about to get a lot bigger. 

What do all these connected parts have in common? JavaScript. "Write once, run everywhere" has been the backbone of today's rich Web — but that portability has massive implications for both data security and data privacy. Magecart is driving awareness of the security aspects, but many businesses seem unaware of the growing privacy implications of uncontrolled data sharing by trusted Web applications. The Web has largely been ignored when it comes to understanding data-privacy risks. Enterprises take care of the data in their databases and how they store customers' and other sensitive data, but more often than not, the Web is where data is invoked. 

Related Content:

Prioritizing Application & API Security After the COVID Cloud Rush

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: Cartoon Caption Winner: In Hot Water

What happens when the same applications and integrations that deliver rich user experience and insights share that sensitive information with third, fourth, or fifth parties outside your organization's control? You can get an idea by looking at dating site Grindr and a pending €10 million fine for sharing user data with advertising companies without the consent required under the General Data Protection Regulation (GDPR). 

Are website owners really doing enough to protect users and understand these emerging risks?

Start Caring About Oversharing
Forms found on 92% of websites expose data to an average of 17 domains — climbing to 20 if you happen to be a top mobile service provider in the European Union, where (depending on the country) passport scans and copies of pay slips are among the documentation requested to sign a contract. That's a lot of oversharing. And what about the multiple trusted applications on your site — Google Ads, chatbots, etc.? While many of these applications are set to collect data, many organizations aren't aware of the exact kind or extent of the data they're collecting. 

Can you genuinely claim to know exactly where all this data is flowing? Do you know: 

  • Which vendor has access to what sensitive data?
  • Which vendor reads sensitive data?
  • Which vendor shares sensitive data with other vendors? 

Because if you don't, you should. Regulations, including GDPR and the California Consumer Privacy Act (CCPA), require enterprises to be aware of where sensitive data is flowing, as well as the purpose of these data flows. 

Why It Matters
Unintentional data exposure is a significant, unaddressed problem for most of the world's website owners. When we fail to secure data as it's entered into websites, we're effectively leaving it hanging: the only reason it's not being stolen is that criminals haven't taken it. Yet.

Equally, when we overlook the need to understand how trusted applications share data, we run the risk of simply giving it away — without our users' consent. 

Everyone talks about security in depth, security beyond the perimeter, and data privacy. It's time to focus on the place where those things intersect: the browser. 

Deepika Gajaria is Tala's VP of Products. An experienced product leader and technologist, Deepika is responsible for product strategy and delivery at Tala. Working closely with customers, she drives product direction and shapes the product roadmap to address their core ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...