It turns out that visiting any of the top 50 Web domains in the UK exposes visitors to an immense amount of risk, thanks to the outsized number of scripts and code that those sites are employing.
Menlo Security researchers examined the inner workings of the top 50 UK sites, and found, on average, that a browser will execute 19 scripts for each.
The top UK website executed 125 unique scripts when requested. But even taking out this outlier, 8% of the top 50 sites executed more than 50 scripts, and 72% of the top 50 sites executed fewer than 20 scripts.
“Knowing that visiting a top 10 site means that I’m allowing my browser to execute more than 25 scripts according to our data (that’s 25 scripts that may or may not be well written and/or secure), is a concern,” researcher Jason Steer said in a blog. “What’s more is that going to a top 25 UK website exposes my browser to more than 100 scripts without any knowledge of how good or bad they may be, and from over 50 unique websites in the background.”
Further, when looking at just how much “stuff” a browser downloads when visiting a top 50 UK website, the firm found that on average, the visitor’s browser will download 1.2MB of code. Media sites held the top two places for amount of downloaded code (No. 1 was a media site downloading 4.9MB of code), followed by social media, to make up the top 5 UK websites.
One site outside the top 50 took the cake: It downloaded 6.1MB of code.
Menlo researchers also looked at the backend code on the top 50 UK websites to see which ones were running versions of web-server code. When he cross-referenced that information with the MITRE CVE database to look at known vulnerabilities for the versions reported, he found that 15 of the top 50 sites (30%), were running vulnerable server versions.
Microsoft IIS version 7.5 was the most prominent vulnerable version, reported with known vulnerabilities going back more than five years.
“There are many legitimate reasons why developers use scripts to enhance the user experience of a website today, but similarly, attackers can use scripting capabilities for iframe redirects and malvertising links to compromise browsers,” said Steer. “The main takeaways show that going to any popular website is now associated with some risk, as we see play out in numerous media stories every week.”
It should be noted that the sites in question are quite varied. At number 17 is a sinkholed malware domain that would indicate there are clearly a large number of infected computers still to clean up in the UK, Steer noted. News sites and social media dominated the top 20, with Google and Facebook taking over the top five spots. Banking and retail were also well represented throughout the top 50 list. There were also two adult content sites in the top 50, and a house/property search site made it at number 20.
Regardless, users don’t really have a way to protect themselves. “For many non-technical users, it’s not really an option to deploy, meaning the vast majority of users cannot make an educated choice on script permissions,” Steer said. Security professionals have been using browser plugins like NoScript for years; however, it makes the web-surfing experience worse.