Retail websites riddled with security holes, researchers warn

Retail websites are full of security vulnerabilities and urgent improvement is needed in the sector, according to researchers.

On average, retail sites exhibit 13 “serious” security vulnerabilities that are classed as either “critical” or “high-risk” by the Open Web Application Security Project (Owasp), according to WhiteHat Security.

The security firm’s researchers also found that about half of all retail websites exhibit at least one serious security flaw, but the average is 23 unique vulnerabilities.

“Retailers clearly have a big part to play in website security,” said Ryan O’Leary, vice-president, threat research at WhiteHat Security. “These organisations represent thousands of consumer-facing web applications and are responsible for holding both personal and financial information.

“Retailers are simply not able to resolve all of the serious vulnerabilities found in their web applications, and it takes them a long time to remediate even the most serious vulnerabilities – on average, 205 days to implement an appropriate fix.”

Retailers are prioritising and rectifying just under half of the website vulnerabilities that they are made aware of, the WhiteHat researchers found.

The existence of multiple serious vulnerabilities not only increases the total business risk that retail organisations assume, but also the risk that they pass to users of their vulnerable websites, said O’Leary. 

“By prioritising the critical and high-risk security flaws for remediation, retailers stand a good chance of reducing the number of days that serious vulnerabilities remain open to attack,” he said.

Researchers at security firm RiskIQ have also recently discovered a key-logging attack using shopping cart software vulnerabilities to compromise e-commerce sites and steal payment card information.

According to RiskIQ, the attack, dubbed Magecart, injects JavaScript code into the site, which allows attackers to capture payment card information.  

Retailers operating e-commerce sites should partner with integrators and contractors, said RiskIQ. These can be verified to provide assurances not only of minimum compliance requirements, but can also demonstrate transparency around the technologies they use and their processes for hardening e-commerce installations and maintaining sound security.

E-commerce site administrators must also ensure familiarity and conformance to recommended security controls and best practices, and that all operating system software and web stack software is kept up to date.

The security of retail websites has come under scrutiny after Dutch developer Willem de Groot found 5,925 online retailers unknowingly harbouring code designed to steal credit card details.

Poor web application security is the underlying cause. “In short, hackers gain access to a store’s source code using various unpatched software flaws,” De Groot said in a blog post.

“Once a store is under the control of a perpetrator, a (Javascript) wiretap is installed that funnels live payment data to an offshore collection server (mostly in Russia). This wiretap operates transparently for customers and the merchant. Skimmed credit cards are then sold on the dark web for the going rate of $30 per card.”