Data Exfiltration by Third-Party Web Scripts Is Getting Worse

Posted by Marbenz Antonio on May 9, 2022

Cybersecurity's Greatest Insider Threat Is In The C-Suite

One of the most serious threats to internet businesses is the theft of personal or sensitive data. Data leakage, also known as data extrusion, can occur through a variety of attack mechanisms. Physical device theft, insider assaults within a business network, and phishing, malware, or third-party scripts are all examples. Every day, the potential that an attacker would take personal and sensitive data from regular website visitors without their awareness grows.

There are various ways for attackers to steal data from unwitting website users. Basic assaults like phishing utilize carefully prepared emails to get victims to click on bogus links that lead to hostile websites. Scripts on websites may be used to steal users’ passwords, financial information, and even medical data in more complex attacks.

Third-party scripts are commonly used on websites for advertising or analytic purposes. According to a recent study, third-party scripts are increasingly hijacking websites. It might be difficult to spot fraudulent activities as a visitor.

Malicious third-party programs attempt to elevate privileges in five different ways:

  • Misuse of the browser login manager and auto-fill
  • Exfiltration of social data
  • Exfiltration of the Document Object Model (DOM)
  • Exfiltration of data in cloud settings
  • Exfiltration of data from mobile phone sensors.

Browser Login Manager and Auto-Fill Misuse

Many internet users use browser login managers and auto-fill programs to save their credentials and other personal information. These automatically populate login fields on websites rather than having to enter them manually. Because users do not have to put in credentials, this can boost user security in most circumstances.

Many third-party programs take advantage of this by including hidden login forms on websites. These malicious forms are not recognized by the user. Rather, the browser login manager fills them up with the user credentials saved in the browser and delivers them to the third party. This attack also works with email addresses or phone numbers, which are frequently stored in the browser’s auto-fill feature. It even works with credit cards and social security numbers on occasion.

Exfiltration of Social Data

Many website owners provide federated authentication using social media login providers to make it easier for users. Users may utilize a streamlined login to their social network profiles instead of remembering passwords, which is an advantage. When a user allows a social login integration for a ‘first-party’ website with integrated third-party scripts, they are putting themselves at risk. The attackers can then gain access to the social media provider’s application programming interface and query it (API). This allows them to steal user information from that social media profile invisibly. This can include email addresses and personal addresses, as well as user account information or account IDs.

DOM Exfiltration

The website DOM is a tree structure that specifies how a website’s contents are organized. The DOM may be used to organize dynamic content that is particular to a user session. Depending on the website, the top level of the DOM tree might include sensitive or personal information such as name, address, and other data. More sensitive information, such as credit card numbers or account numbers, might be found on a banking website. If an attacker uses a third-party script at the top level, it may typically traverse the whole DOM tree and steal all of the sensitive information. Attackers can even manipulate events on a website using scripts to track what the user is doing. The scripts may also include hidden event listeners, allowing attackers to track a user’s mouse movements.

These privacy infractions are a well-known issue, and cybersecurity research is gaining a better understanding of the attackers’ tactics in order to develop effective preventative solutions. Users, on the other hand, have few alternatives besides ad blockers. Users should also keep as little personal information as possible online or deactivate script code in their browser settings. However, they aren’t perfect options. Instead, website owners should ensure that their material is free of errors. This is much more crucial when using cloud-based online apps.

Data Exfiltration in the Cloud

The cloud is gaining in popularity and offers several benefits over previous infrastructures. When it comes to websites and online apps, setting up the code in the cloud and making it public from there might be easier. Recent research has revealed that misconfiguration is one of the most serious dangers to cloud infrastructures. This can result in insecure APIs that allow malicious programs to access restricted regions. It gives attackers access to credential storage, allowing them to get used or even admin credentials for cloud environments.

Data Exfiltration and Mobile Phone Sensors

Third-party scripts can get access to mobile sensors (e.g., GPS, gyroscope, and motion sensors) and exfiltrate sensor data, according to much recent research. There are important attack vectors for abusing mobile sensors for hidden data exfiltration, particularly on Android. Victims do not need to download a malicious mobile app because these assaults target the Android ad network. Ads integrated into apps allow the malicious script to access device sensors.

These flaws may also be found in hybrid applications and mobile browsers that use Android’s WebView to render webpages or website content in an app or mobile browser. WebView should usually be sandboxed in programs so that no background code may execute. Even after the app or browser window is closed, mobile advertisements can continue run scripts in the background to exfiltrate mobile sensor data.

Third-party scripts on websites, applications, and in the cloud can pose a serious security risk. As our society becomes increasingly linked as a result of the digital revolution, it is critical to properly safeguard information and ensure that the security of sensitive user data is constantly top of mind.


Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com

Verified by MonsterInsights