Most internet users know that the information they share online is collected and used by data brokers, advertisers and marketing companies. Less known is that the personal information users type into web forms can, without their consent, be accessed by any client-side JavaScript running on the page, regardless of whether they click submit or not.
Bad actors can take advantage by injecting malicious JavaScript on the page that gives them access to steal credit card numbers, credentials and other personally identifiable information (PII). This is known as digital skimming or Magecart, and it can lead to payment fraud, account takeover (ATO) and identity theft.
Going one step further, a recent independent study showed that even legitimate JavaScript code from trusted third-party vendors are accessing PII on many sites. Although this likely won’t result in identity theft, it’s still a form of broken access control that can lead to potential data privacy violations.
Leaky Forms Are the Culprit
The issue is due to “leaky forms” — forms that (purposely or accidentally) allow third-parties to read sensitive information as it is typed in. The study found numerous examples of websites that leak form data to third-party trackers before users hit submit.
Modern websites rely heavily on third-party code from vendors for social media, chatbots, analytics and payments. But if access controls are broken, this could inadvertently leak data to third-party vendors and raise the risk of falling out of compliance with data privacy and security regulations (such as PCI DSS, CPRA, CCPA, and GDPR). Subsequent fines, lawsuits, and user payouts are a distinct possibility.
Third-party Vendors Aren’t Liable
While leaking user data is a clear privacy violation, the third-party code vendors aren’t liable if they capture this information. Most third-party code vendor agreements limit liability for what data gets grabbed by their systems.
The terms of service often state that websites should not give access to sensitive information beyond what is explicitly required. And if they do get access to sensitive data, they are free from liability because access should not have been granted in the first place.
As the Director of Security and Compliance at one top e-learning company stated, “If our vendors collect sensitive data from form fields on our website and there's a data breach and those fields are leaked, their legal language says they're not responsible for that. So from a GDPR and CCPA standpoint, that puts our company on the hook.”
But I Trust My Third-party Vendors
Many third parties aren’t malicious, at least in the sense that they typically aren’t capturing data to commit identity theft. However, this doesn’t mean that vendors should have free access to your data.
Broken access control is the number one web application security risk according to OWASP. Leaking data to vendors — even trusted ones — means your access controls are broken. This increases your potential attack surface area, leaving you at risk of a supply chain attack and noncompliance fines.
The the e-learning company further explained, “Like any B2C company, we have cookies and pixels on our site. We needed a way to track what actually is being collected and by whom, so we can make sure it aligns with our contracts. This helps us maintain CCPA compliance, which is very vital to our business.”
It’s Happened Before
The e-learning company implemented HUMAN Code Defender to get complete visibility into their website supply chain. The solution helped them get control in order to avoid potential regulatory penalties, but not every company has had the tools in place to catch malicious code. Many well-known brands have suffered financial losses due to a client-side supply chain attack that exposed user data.
- Ticketmaster paid a £1.25 million GDPR fine for exposing the PII and PCI data of up to 9 million customers via form field access by a third party chat bot on the checkout page.
- British Airways paid £20 million — one of the largest GDPR fines in history — in addition to settling a private class action lawsuit for allowing the sensitive data of 420,000 customers to be compromised via form field access.
- The first-ever CCPA settlement and related class action lawsuit was imposed on Hanna Anderson for allowing sensitive customer data to be accessed via form fields.
Take a Zero Trust Approach
It’s entirely possible that third-party scripts accurately match the form fields and data is not used outside the ‘approved’ customer values in the payload. But why take that risk? Instead, we recommend implementing a Zero Trust security posture for third-party scripts that access customer data input.
Zero Trust means least-privileged access controls rather than assumed trust. The enforcement of Zero Trust policies require real-time visibility into the interactions of all website users. To this end, website owners can benefit from technologies that flag when a script is accessing PII and enforce granular control to restrict form field access without disabling entire scripts.
“I'm super happy and impressed with how Code Defender is able to block third-party scripts from accessing specific form fields based on the data being collected,” the Director of Security and Compliance at the e-learning company said. “Now, we can give access to certain fields and block access to other fields for things like credit card number and password, which vendors were collecting and not telling their customers. This allows us to protect our data and cover our bases as well.”
Fix the Leak
HUMAN Code Defender identifies vulnerabilities and anomalous behavior across all website scripts, and proactively mitigates risk using a combination of Content Security Policy (CSP) and granular JavaScript blocking. The solution provides real-time visibility and granular control into third-party code to prevent PII leakage and assist with compliance with data privacy regulations.