The theft of personal or sensitive data is one of the biggest threats to online business. This danger, data exfiltration or data extrusion, comes from a wide variety of attack vectors. These include physical theft of devices, insider attacks within a corporate network and phishing, malware or third-party scripts. The risk for regular website users that an attacker will steal their personal and sensitive data without their knowledge increases every day.

There are several ways attackers can covertly exfiltrate data from unaware website visitors. These include basic attacks like phishing, which lure victims with crafted emails to click fraudulent links that redirect users to malicious websites. More complex attacks include using scripts on websites to secretly steal users’ credentials, financial information and even medical data.

Usually, websites implement third-party scripts for advertisement or analytic purposes. In recent studies, researchers have found that third-party scripts are hijacking websites more often. As a visitor, it is often difficult to recognize fraudulent behavior.

There are five areas where malicious third-party scripts try to escalate privileges:

  • Browser login manager and auto-fill misuse
  • Social data exfiltration
  • Document object model (DOM) exfiltration
  • Data exfiltration in cloud environments
  • Data exfiltration of mobile phone sensors.

Browser login manager and auto-fill misuse

Many internet users store their credentials or other personal information in browser login managers and auto-fill tools. These fill login forms on websites without the need to type them in. In most cases, this can increase the security of users because they don’t need to type in credentials.

Many third-party scripts make use of these by adding hidden login forms on websites. The user doesn’t recognize these malicious forms. Rather, the browser login manager fills them out with the stored user credentials and sends them to the third party. This attack also works with email addresses or phone numbers, which the browser very often stores with its auto-fill. Sometimes, it even works for credit cards and social security numbers.

Social data exfiltration

To make it easier for users, many website operators provide federated authentication through social media login providers. The advantage is that users do not have to remember passwords; they can use a simplified login to their social media profiles. The threat is when a user approves a social login integration for a ‘first-party’ website with embedded third-party scripts. The attackers can then get access rights and can query the social media provider’s application programming interface (API). This enables them to covertly exfiltrate user information from that social media profile. This can be user account information or account IDs as well as email address and personal address information.

DOM exfiltration

The website DOM is a tree structure that defines how the contents of a website are arranged. Dynamic content that is specific to a user session can be arranged in the DOM. The top level of the DOM tree can contain sensitive or personal information, like name, address and other data depending on the website. On a banking website, it can also contain more confidential information like credit card numbers or account information. If an attacker implements a third-party script at the top level, it often can traverse the full DOM tree and exfiltrate all the confidential data. Using the scripts, attackers can even change events on a website to track what the user is doing. The scripts could also secretly add event listeners, which can enable attackers to record a user’s mouse movements.

These privacy violations are a known threat, and cybersecurity research is becoming more aware of the attackers’ techniques in order to provide proper prevention methods. On the other hand, users have limited options, except for ad blockers. Users should also store only the least possible amount of personal information online or disable script code in the browser options. But these are not ideal solutions. Instead, the website operators should make sure that their content is clean. This is even more important when web applications run in the cloud.

Data exfiltration in the cloud

The cloud is becoming more important and provides many advantages over other infrastructures. When it comes to websites and web applications, it can be easier to set up the code in the cloud and make it face the public from there. But recent studies have shown that one of the biggest threats to cloud environments is misconfiguration. This can lead to insecure APIs that enable malicious scripts to pull information from protected areas. It can enable attackers to gain access to credential storage and acquire user or even admin credentials for cloud environments.

Data exfiltration and mobile phone sensors

Several recent studies have found that third-party scripts can get access to mobile sensors (e.g., GPS, gyroscope and motion sensors) and exfiltrate the sensor data. Especially on Android, there are major attack vectors to abuse mobile sensors for secret data exfiltrating. These attacks target the Android ad network, so victims don’t need to download a malicious mobile app. The malicious script is able to access the mobile sensors from ads embedded within apps.

These vulnerabilities can also appear in hybrid apps or mobile browsers, which open a window with Android’s WebView to render websites or website content using an app or mobile browser. Usually, WebView should be sandboxed in the apps so that no code can run in the background. However, it is still possible for mobile ads to execute scripts secretly to exfiltrate mobile sensor data, even when the app or browser window is closed.

Third-party scripts on websites, apps or in the cloud can be a major threat. As the digital transformation continues and our society becomes more connected, it is crucial to properly secure content and make sure that the security of sensitive user data is always top of mind.

More from Risk Management

Working in the security clearance world: How security clearances impact jobs

2 min read - We recently published an article about the importance of security clearances for roles across various sectors, particularly those associated with national security and defense.But obtaining a clearance is only part of the journey. Maintaining and potentially expanding your clearance over time requires continued diligence and adherence to stringent guidelines.This brief explainer discusses the duration of security clearances, the recurring processes involved in maintaining them and possibilities for expansion, as well as the economic benefits of these credentialed positions.Duration of security…

Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709

4 min read - On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for…

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today