The personally identifiable information (PII) of millions of online shoppers could be at risk as a result of significant security gaps in e-commerce web applications, according to new research by CyCognito.
The study has been published ahead of Black Friday and Cyber Monday 2023, when millions of consumers will be flocking to e-commerce websites in search of shopping deals. Most of these sites store PII such as addresses and credit card details in the process.
The researchers have warned that a large proportion of these websites lack basic security protocols and contain exploitable vulnerabilities.
Analyzing its global customer base in September 2023, CyCognito found that more than a quarter (28%) of e-commerce web apps lack a web application firewall (WAF), including 24% of apps that collect PII.
In addition, 2% of these apps still lack HTTPS, an internet protocol that uses encryption for secure communication over a computer network. With over 26 million e-commerce stores worldwide, if replicated, this figure could impact 520,000 sites.
In total, 58% of all e-commerce web apps collect user PII, the study said.
The researchers also revealed that 78% of e-commerce web apps fail to ask users to consent to cookies, which could lead to them falling foul of data privacy regulations like GDPR.
Exploitable Vulnerabilities in E-Commerce Sites
Nearly half (48%) of the web apps monitored had one or more cryptographic vulnerabilities, while around a third (31%) have at least one easily exploitable issue.
The researchers also found that 2% of the apps had at least one critical security issue, with half of these apps holding PII. Of these critical issues, 76% are easily exploitable.
Additionally, 7% of e-commerce web apps had at least one security issue contained in the OWASP Top Ten list.
Certificate validity issues were found in 13% of monitored apps, which can make the server’s identity no longer trusted.
The researchers wrote: “Cyber Monday is filled with urgency – the urgency of getting a good deal, on the shoppers’ side, and the urgency of capitalizing on the biggest ecommerce days of the year for retailers.
“Cybercriminals take advantage of this urgency to exploit misconfigurations and vulnerabilities, which can cause massive reputational damage to inattentive organizations in the process.”
How Retailers Can Improve their Online Security
CyCognito provided the following advice to retailers enhance the security of their e-commerce apps:
- Check for ‘low-hanging fruit,’ such as missing WAFs or expired certificates, which can be indicators for more serious security issues
- Prioritize continuous testing to give your security team to time to identify and remediate serious vulnerabilities that could result in stolen PII
- Check you are complying with relevant cybersecurity and data privacy legislation, such as PCI DSS and GDPR