Leaky Forms Are the Culprit
The issue is due to “leaky forms” — forms that (purposely or accidentally) allow third-parties to read sensitive information as it is typed in. The study found numerous examples of websites that leak form data to third-party trackers before users hit submit.
Modern websites rely heavily on third-party code from vendors for social media, chatbots, analytics and payments. But if access controls are broken, this could inadvertently leak data to third-party vendors and raise the risk of falling out of compliance with data privacy and security regulations (such as PCI DSS, CPRA, CCPA, and GDPR). Subsequent fines, lawsuits, and user payouts are a distinct possibility.
Third-party Vendors Aren’t Liable
While leaking user data is a clear privacy violation, the third-party code vendors aren’t liable if they capture this information. Most third-party code vendor agreements limit liability for what data gets grabbed by their systems.
The terms of service often state that websites should not give access to sensitive information beyond what is explicitly required. And if they do get access to sensitive data, they are free from liability because access should not have been granted in the first place.
As the Director of Security and Compliance at one top e-learning company stated, “If our vendors collect sensitive data from form fields on our website and there's a data breach and those fields are leaked, their legal language says they're not responsible for that. So from a GDPR and CCPA standpoint, that puts our company on the hook.”
But I Trust My Third-party Vendors
Many third parties aren’t malicious, at least in the sense that they typically aren’t capturing data to commit identity theft. However, this doesn’t mean that vendors should have free access to your data.
Broken access control is the number one web application security risk according to OWASP. Leaking data to vendors — even trusted ones — means your access controls are broken. This increases your potential attack surface area, leaving you at risk of a supply chain attack and noncompliance fines.
The the e-learning company further explained, “Like any B2C company, we have cookies and pixels on our site. We needed a way to track what actually is being collected and by whom, so we can make sure it aligns with our contracts. This helps us maintain CCPA compliance, which is very vital to our business.”
It’s Happened Before
The e-learning company implemented HUMAN Code Defender to get complete visibility into their website supply chain. The solution helped them get control in order to avoid potential regulatory penalties, but not every company has had the tools in place to catch malicious code. Many well-known brands have suffered financial losses due to a client-side supply chain attack that exposed user data.
- Ticketmaster paid a £1.25 million GDPR fine for exposing the PII and PCI data of up to 9 million customers via form field access by a third party chat bot on the checkout page.
- British Airways paid £20 million — one of the largest GDPR fines in history — in addition to settling a private class action lawsuit for allowing the sensitive data of 420,000 customers to be compromised via form field access.
- The first-ever CCPA settlement and related class action lawsuit was imposed on Hanna Anderson for allowing sensitive customer data to be accessed via form fields.
Take a Zero Trust Approach
It’s entirely possible that third-party scripts accurately match the form fields and data is not used outside the ‘approved’ customer values in the payload. But why take that risk? Instead, we recommend implementing a Zero Trust security posture for third-party scripts that access customer data input.
Zero Trust means least-privileged access controls rather than assumed trust. The enforcement of Zero Trust policies require real-time visibility into the interactions of all website users. To this end, website owners can benefit from technologies that flag when a script is accessing PII and enforce granular control to restrict form field access without disabling entire scripts.
“I'm super happy and impressed with how Code Defender is able to block third-party scripts from accessing specific form fields based on the data being collected,” the Director of Security and Compliance at the e-learning company said. “Now, we can give access to certain fields and block access to other fields for things like credit card number and password, which vendors were collecting and not telling their customers. This allows us to protect our data and cover our bases as well.”
Fix the Leak