The theft of personal or sensitive data is one of the biggest threats to online business. This danger, data exfiltration or data extrusion, comes from a wide variety of attack vectors. These include physical theft of devices, insider attacks within a corporate network and phishing, malware or third-party scripts. The risk for regular website users that an attacker will steal their personal and sensitive data without their knowledge increases every day.
There are several ways attackers can covertly exfiltrate data from unaware website visitors. These include basic attacks like phishing, which lure victims with crafted emails to click fraudulent links that redirect users to malicious websites. More complex attacks include using scripts on websites to secretly steal users’ credentials, financial information and even medical data.
Usually, websites implement third-party scripts for advertisement or analytic purposes. In recent studies, researchers have found that third-party scripts are hijacking websites more often. As a visitor, it is often difficult to recognize fraudulent behavior.
There are five areas where malicious third-party scripts try to escalate privileges:
- Browser login manager and auto-fill misuse
- Social data exfiltration
- Document object model (DOM) exfiltration
- Data exfiltration in cloud environments
- Data exfiltration of mobile phone sensors.
Browser login manager and auto-fill misuse
Many internet users store their credentials or other personal information in browser login managers and auto-fill tools. These fill login forms on websites without the need to type them in. In most cases, this can increase the security of users because they don’t need to type in credentials.
Many third-party scripts make use of these by adding hidden login forms on websites. The user doesn’t recognize these malicious forms. Rather, the browser login manager fills them out with the stored user credentials and sends them to the third party. This attack also works with email addresses or phone numbers, which the browser very often stores with its auto-fill. Sometimes, it even works for credit cards and social security numbers.
Social data exfiltration
To make it easier for users, many website operators provide federated authentication through social media login providers. The advantage is that users do not have to remember passwords; they can use a simplified login to their social media profiles. The threat is when a user approves a social login integration for a ‘first-party’ website with embedded third-party scripts. The attackers can then get access rights and can query the social media provider’s application programming interface (API). This enables them to covertly exfiltrate user information from that social media profile. This can be user account information or account IDs as well as email address and personal address information.
DOM exfiltration
The website DOM is a tree structure that defines how the contents of a website are arranged. Dynamic content that is specific to a user session can be arranged in the DOM. The top level of the DOM tree can contain sensitive or personal information, like name, address and other data depending on the website. On a banking website, it can also contain more confidential information like credit card numbers or account information. If an attacker implements a third-party script at the top level, it often can traverse the full DOM tree and exfiltrate all the confidential data. Using the scripts, attackers can even change events on a website to track what the user is doing. The scripts could also secretly add event listeners, which can enable attackers to record a user’s mouse movements.
These privacy violations are a known threat, and cybersecurity research is becoming more aware of the attackers’ techniques in order to provide proper prevention methods. On the other hand, users have limited options, except for ad blockers. Users should also store only the least possible amount of personal information online or disable script code in the browser options. But these are not ideal solutions. Instead, the website operators should make sure that their content is clean. This is even more important when web applications run in the cloud.
Data exfiltration in the cloud
The cloud is becoming more important and provides many advantages over other infrastructures. When it comes to websites and web applications, it can be easier to set up the code in the cloud and make it face the public from there. But recent studies have shown that one of the biggest threats to cloud environments is misconfiguration. This can lead to insecure APIs that enable malicious scripts to pull information from protected areas. It can enable attackers to gain access to credential storage and acquire user or even admin credentials for cloud environments.
Data exfiltration and mobile phone sensors
Several recent studies have found that third-party scripts can get access to mobile sensors (e.g., GPS, gyroscope and motion sensors) and exfiltrate the sensor data. Especially on Android, there are major attack vectors to abuse mobile sensors for secret data exfiltrating. These attacks target the Android ad network, so victims don’t need to download a malicious mobile app. The malicious script is able to access the mobile sensors from ads embedded within apps.
These vulnerabilities can also appear in hybrid apps or mobile browsers, which open a window with Android’s WebView to render websites or website content using an app or mobile browser. Usually, WebView should be sandboxed in the apps so that no code can run in the background. However, it is still possible for mobile ads to execute scripts secretly to exfiltrate mobile sensor data, even when the app or browser window is closed.
Third-party scripts on websites, apps or in the cloud can be a major threat. As the digital transformation continues and our society becomes more connected, it is crucial to properly secure content and make sure that the security of sensitive user data is always top of mind.