As seen on SC Media

Bradley Barth Follow @bbb1216bbb

A new report examines how certain third-party programs can gain access to shoppers’ personal and payment data as they type it into webforms placed on e-commerce sites. (Stuart C. Wilson/Getty Images for eBay)

Data sharing between websites and third-party applications is a common practice, but a new research-based report takes a more focused look into the potential overreach of some of these apps, particularly as website managers lose sight of their third-party partners’ default settings and access rights.

The report, from Source Defense, examines how certain third-party programs can gain access to shoppers’ personal and payment data as they type it into webforms placed on e-commerce sites. To demonstrate the pervasiveness of this phenomenon, Source Defense researchers monitored multiple websites for 28 days and counted how many times an unnamed social media platform’s code attempted to access the site’s web form entries by default.

Source Defense ultimately observed millions of attempts: The anonymous social media app attempted to access web form data roughly 129.1 million times from a fast casual dining chain site, approximately 22.7 million times from a men’s apparel retailer, just under 6 million times from a kitchen appliance maker, and about 620,000 times from a seller of outdoors gear.

Randy Paszek, sales engineer at Source Defense, would not identify the websites or the social media platform involved in the study, but did say that social media plugins that typically grab data from web forms are ones designed to allow likes, posts and re-posts.

Paszek explained why some website operators are guilty of overlooking the sometimes unnecessary oversharing of web form data, which potentially creates privacy and regulatory risks: “It’s very tough for website managers to inspect code of third-parties on a consistent enough basis to understand what overreaches there may be,” he said. “Digital marketing teams are typically not looking at the technical code and website security teams are unaware of the problem.”

Additionally, “Many third parties use dynamic JavaScript or will change their code multiple times per day, making code review almost impossible.” What’s more, he said, website coders are primarily interested in how the presence of JavaScript improves or enhances a website’s interactivity, more so than any data collection that may be taking place in the background.

Simply put, “The responsibility of an organization to know what their code – first or third party – is usually reported as: The JavaScript is doing what I want it to do or the JavaScript is not doing what I want it to do,” said Paszek.

Plug-in can be a particular source of confusion for website operator. “We often talk with website admins/managers who are unsure how to update website plugins,” said Ron Doss, web security analyst at SiteLock. “We find that a lot of website admins either had the site built by a third party, or they inherited the job after the previous website admin left the company. Not only do they often not have much experience with websites in general, but most are pretty unfamiliar with the makeup of their own website.”

Chris Olson, CEO of The Media Trust, has long been an advocate for the reduction of online third-party code risk. Olson told SC Media in an interview that web form data sharing between e-commerce sites and social media can be hard to control these days because websites are no longer “under the control of the enterprise.”

“The personalized, interactive, and dynamic experience that consumers expect is provided by third parties, and these parties comprise 90 percent of the code that executes in the browser,” said Olson. “And it’s been this way for more than five years. This functionality comes at a cost: Each third-party vendor represents an access point that could be compromised and serve malware, redirect visitors to a malicious website or app; or secretly collect website visitor data.”

“Application security teams typically focus on their own code and simply don’t see – sometimes blatantly ignore – the third-party code piggybacking on the content rendering in the browser,” Olson added. “This thinking is what harms consumers. Consumers assume premium websites in the Alexa 1,000 are safe, and unmanaged third parties take advantage of this consumer naivete to gather information to target them in the future with malware, fraud, and disinformation.”

And of course, third parties can potentially pass this data on further to fourth parties. “It happens all the time and most website operators are clueless to the security and regulatory risk posed by these unmanaged third parties,” Olson added.

Paszek noted that website owners often lack the tools to truly understand what kind of visitor data is being read by third parties.

“Traffic monitoring tools would monitor if data is being sent back to the JavaScript origin or to a location owned by the social media company, but the content of that data would not be known,” he said.

Source Defense does offer its own client-side technology designed to prevent data collection and skimming-type behaviors. But Olson cautioned that solutions tend to “mask the heart of the issue,” which is that “no one is in charge of their website.”

And that can only be fixed through policies that institute responsible data stewardship and third-party risk reduction, not to mention compliance.

“PCI [Payment Card Industry] Compliance is very strict about how data is collected and stored, so if third parties are scraping that data in any way, it represents a huge risk and liability to the website owner,” said Doss. “I personally believe that if a website admin is aware that this data is or may be scraped at all, they have an obligation to let their visitors know. In my experience, most website admins are wholly unaware that this type of activity may be occurring on their site.”

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.