Top UK and US online retail sites are open to attack

A web application security study has found that major US retailers had a larger attack surface, while large EU retailers run more “outdated” services.

The sites studied included those run by the likes of Tesco, IKEA and Walmart. Outpost24's 2020 Web Application Security for Retail & E-commerce report analysed the web applications of the top 20 retailers in the US and EU.

Outpost24's 2020 Web Application Security for Retail & E-commerce report analysed the web applications of the top 20 retailers in the US and EU.

Using an average risk exposure score based on Outpost24’s attack surface discovery tool, Scout, the findings revealed web applications used by US retailers were “more at risk” with an aggregated average risk score of 35, which was higher than their EU counterparts at 31.

On average, the report found US retailers to be running more publicly exposed web applications (3,357) compared to EU retailers, which ran fewer applications (2,799). Yet, despite having a smaller attack surface, EU retailers had a higher percentage of applications using old components that contained vulnerabilities (27 per cent) as opposed to their American rivals (22 per cent).

“All retailers had security risks within their web environments that could expose them and their customer data to potential exploitation and compromise,”said Outpost24.

The list of retailers were chosen based on Deloitte’s Global Powers of Retailing Report 2019 and had their public-facing web security environments analysed against the seven most common attack vectors used by hackers.

These included security mechanisms, page creation methods, degree of distribution, authentication, input vectors, active content and cookies (score 1-100 each).

Security mechanisms was the single biggest attack vector for both EU and US retailers, attaining a risk exposure score of 90.5 and 99 respectively. For retailers using HTTP websites, and not restricting access to adversaries trying to get into unsecured parts of a site without encryption, this contributes to higher attack surface scores.

Active content, which observed how web applications were running scripts, was the second most dangerous as both US and EU retailers acquired scores of 88 or more.

Third highest was degree of distribution with all retailers attaining scores higher than 77.9, which is attributed to the high number of product pages commonly found on large e-commerce sites making it difficult to secure everything.

Nicolas Renard, security analyst at Outpost24, said: “Hackers are masters of reconnaissance and will go to great lengths to identify weak spots in their target. The rather high risk exposure score among the top retailers is a worrying trend, as bigger attack surfaces create more opportunities for bad actors to find holes in their security defences and execute potential exploits.”

The Scout tool also examined the components that were used to develop web applications and discovered that 90 per cent of EU retailers and 50 per cent of US retailers are currently running outdated jQuery versions on their applications, which could expose them to common cross site scripting attacks.

Retailers were also found to be using a variety of outdated servers to run their applications, making their shared hosting environments vulnerable to unauthorised access through potential exploitation of known vulnerabilities.

    Share Story:

Recent Stories

Find out how HULFT can help you manage data, integration, supply chain automation and digital transformation across your retail enterprise.
Talking shop: retail technology solutions from Brother
Retail Systems editor Peter Walker sits down with Brother’s senior commercial client manager Jessica Stansfield to talk through the company’s solutions for retailers and hospitality businesses, what’s new in labelling technology, and the benefits of outsourcing printing.