Popular Websites Failing To Protect Data Uploaded By Customers
Corrata has recently uncovered multiple cases of popular websites failing to encrypt data uploaded by customers.
Last year we reported that poor security configuration on a number of popular websites (including the German tabloid Bild, Spanish banking group Santander, and Irish telecommunications provider Eir) left visitors accessing the websites vulnerable to hacking. The issues we uncovered related to the way in which Transport Layer Security (tls) was implemented on these sites.
Today the vast majority of websites use encryption to ensure that sensitive data exchanges between users and the website remain confidential. This confidentiality depends on the use of an internet protocol known as Transport Layer Security (tls). Https is the implementation of tls used when browsing websites. Its use is traditionally signaled by the appearance of the lock symbol at the top left-hand corner of the browser address bar. A misconfiguration meant that visitors accessing the site with iPhones or iPads used out-of-date tls code or cipher suites, which meant that their communications with the site, though ostensibly secure, were, in fact, vulnerable to interception and manipulation (Interestingly, Google recently announced that it would no longer use the lock symbol – read more here).
Poor Encryption & Practices
You could, of course, argue that in our previously documented cases, at least the data had been encrypted, albeit poorly. More recently, we have uncovered cases of users being asked to submit data to websites without any encryption at all. One such case involving telecommunications provider Eir, is described in detail in this incident report. (Following our disclosure of the vulnerability, Eir promptly resolved the issues). The link to the offending page originated in an account-related email. Not only was the link to an unencrypted page, but the site failed to redirect the user to an encrypted version, potentially allowing a malicious actor to impersonate the Eir site. In addition, the page prompted the user to enter an email address. If this email address is related to a valid Eir account, the response provided details relating to the account in plain text.
Eir are not alone: a number of other high-profile websites and applications display similar weaknesses.
As we encounter these poor encryption practices, we report the issues to the website or application owners in line with our responsible disclosure policy. This enables those responsible to rectify the problem and safeguard users.
The issues we have uncovered relate to the failure to use encryption on pages where customers are asked to upload personal information. This matters because, in today’s cloud computing era, we all place huge reliance on tls to ensure that our internet communications remain confidential. In fact, we have come to expect this and act accordingly. Google reports, for instance, that 97% of traffic in the US using the Chrome browser is encrypted.
So today, users would be excused for not double-checking a site to confirm that it is using tls on all data input pages.
Full Protection with Benefits
Corrata does not routinely scan websites looking for poor or absent encryption. The discovery of these incidents is a by-product of the security we provide to our customers. When our mobile security product is installed on a device, it continuously checks for vulnerabilities, disables malware, and blocks access to phishing sites and insecure communications. Over the last 18 months, we’ve introduced new features which check for poor encryption and identify attempts to upload data without encryption. Our customers can configure Corrata to prevent the transmission of sensitive information over such vulnerable channels, keeping personal and corporate data safe from interception.
It’s important to grasp that, when data is sent over the internet unencrypted, in ‘plain text’, or poorly encrypted, it’s susceptible to being read and manipulated by anyone else on the network. The era when the vast majority of sensitive organizational data traveled over networks under corporate control has long passed.
In today’s cloud-centric world, security professionals are acutely aware they must build security on the basis that much of their organizations’ information will routinely traverse networks which are fundamentally insecure. The rapid adoption of SaaS and the internet enablement of in-house applications means more and more data is exposed to the risks that these networks present. Given this reality, adopting technology that keeps your data safe regardless of the quality of protection offered by your service providers is critical.