Connect with us

Hi, what are you looking for?


Application Security

Websites of EU Mobile Providers Fail to Properly Secure User Data: Report

Sensitive data pertaining to the customers of top mobile services providers in the European Union is at risk of compromise due to improperly secured websites, data security and privacy firm Tala reveals.

Sensitive data pertaining to the customers of top mobile services providers in the European Union is at risk of compromise due to improperly secured websites, data security and privacy firm Tala reveals.

An analysis of the websites of 13 of the top mobile telecom companies in the EU has revealed that none of them has in place even the minimum necessary protections to be considered secure.

“With over 235 million customers between them, none of the mobile providers scored a passing grade for website security. Where a score of 80+ is considered reasonable and 50 is barely a passing grade, none of the mobile providers analyzed comes close,” Tala says in a new report.

Despite the lack of proper website protections, however, during online sign-up, the telcos collect a significant amount of sensitive data from their customers, including names, emails, addresses, dates of birth, passport numbers, payslips, and even banking details in some cases.

All of the gathered data, Tala claims, might be at risk of compromise through vulnerabilities and the use of third-party code: the average number of JavaScript integrations was found to be 162, while forms were found exposed to an average of 19 third parties.

All of the websites, the report reveals, use dangerous JavaScript functions that open the door to cross-site scripting (XSS), the most common type of website vulnerability. The highest number of JavaScript integrations on a single site was 735.

The sensitive data that customers enter on the websites of these mobile opertors is also potentially exposed through the forms employed to gather the data, as these connect to a large number of domains, revealing extensive data sharing, “25% more than the global Alexa 1000 average for websites,” Tala notes.

Advertisement. Scroll to continue reading.

“When website owners fail to secure data as it is entered into their websites, they’re effectively leaving it hanging; the only reason it’s not being stolen is that criminals haven’t taken it. Yet,” the company points out.

The research also revealed that none of the analyzed websites had in place the necessary protections to prevent unintentional data exposure, and any piece of third-party code running on the website could be used to “modify, steal or leak information through client-side attacks enabled by JavaScript,” the report reads.

While the data sharing in most cases was done through whitelisted, legitimate applications, the website owner wasn’t always aware of the type of data that these applications would collect, or the extent of the data collection.

“Even whitelisted apps can be exploited to exfiltrate data, with significant implications for data privacy, and by extension, GDPR. Unfortunately, the analysis indicates that none of the EU telcos analyzed here has sufficient awareness of the risk,” Tala notes.

Related: Vulnerability That Allows Complete WordPress Site Takeover Exploited in the Wild

Related: Website Security Breach Exposes 1 Million DNA Profiles

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.