Sensitive data pertaining to the customers of top mobile services providers in the European Union is at risk of compromise due to improperly secured websites, data security and privacy firm Tala reveals.
An analysis of the websites of 13 of the top mobile telecom companies in the EU has revealed that none of them has in place even the minimum necessary protections to be considered secure.
“With over 235 million customers between them, none of the mobile providers scored a passing grade for website security. Where a score of 80+ is considered reasonable and 50 is barely a passing grade, none of the mobile providers analyzed comes close,” Tala says in a new report.
Despite the lack of proper website protections, however, during online sign-up, the telcos collect a significant amount of sensitive data from their customers, including names, emails, addresses, dates of birth, passport numbers, payslips, and even banking details in some cases.
All of the gathered data, Tala claims, might be at risk of compromise through vulnerabilities and the use of third-party code: the average number of JavaScript integrations was found to be 162, while forms were found exposed to an average of 19 third parties.
All of the websites, the report reveals, use dangerous JavaScript functions that open the door to cross-site scripting (XSS), the most common type of website vulnerability. The highest number of JavaScript integrations on a single site was 735.
The sensitive data that customers enter on the websites of these mobile opertors is also potentially exposed through the forms employed to gather the data, as these connect to a large number of domains, revealing extensive data sharing, “25% more than the global Alexa 1000 average for websites,” Tala notes.
“When website owners fail to secure data as it is entered into their websites, they’re effectively leaving it hanging; the only reason it’s not being stolen is that criminals haven’t taken it. Yet,” the company points out.
The research also revealed that none of the analyzed websites had in place the necessary protections to prevent unintentional data exposure, and any piece of third-party code running on the website could be used to “modify, steal or leak information through client-side attacks enabled by JavaScript,” the report reads.
While the data sharing in most cases was done through whitelisted, legitimate applications, the website owner wasn’t always aware of the type of data that these applications would collect, or the extent of the data collection.
“Even whitelisted apps can be exploited to exfiltrate data, with significant implications for data privacy, and by extension, GDPR. Unfortunately, the analysis indicates that none of the EU telcos analyzed here has sufficient awareness of the risk,” Tala notes.
Related: Vulnerability That Allows Complete WordPress Site Takeover Exploited in the Wild
Related: Website Security Breach Exposes 1 Million DNA Profiles