Half of popular websites vulnerable: study

Luke Costin
(Australian Associated Press)


Australian-led research has found half of the world’s most popular websites are vulnerable to malicious activity, exposing fundamental flaws in the web.

The analysis of the world’s top 200,000 websites by academics from the CSIRO, the US and UK showed half of all websites allow ad providers and the like to load content from third parties without the website’s explicit permission.

Professor Dali Kaafar compared the threat to Australia’s strawberry needle contamination crisis in late 2018, when it was difficult to identify which party had contaminated the strawberries and at what level in the food supply chain.

“In the same way, we have a web content supply chain and it’s extremely difficult to find a way to enable explicit trust all the way down the chain,’ Prof Kafaar, privacy lead researcher from the CSIRO’s data research arm Data61, told AAP.

The chains of third parties – such as ad services, Google Analytics and JavaScript codes – loading on websites can include 30 parties in some cases.

Only 1.2 per cent of the third parties were rated as potentially malicious by the researchers but they were loaded in 73 per cent of websites analysed.

Prof Kaafar said this implicit trust chain can ultimately end up with people downloading content from places 29 levels down the chain “you’ve never heard of and obviously never seen”.

“That chain is constituting a huge security threat because of this implicit trust.”

Illustrating how big the problem can be, Prof Kaafar pointed to Google Analytics, which is built into millions of websites, unknowingly loading an adware and spyware distributor for a few days in 2018.

“You can spread malicious activity quite heavily and rapidly if there is a big player sitting in the middle of the chain not realising there are issues going on,” he said.

“From a design perspective, there is a fundamental flaw in the way the security and privacy setting is addressed. We really don’t have visibility on how the content is being accessed and then how it is being loaded.”

Prof Kaafar advises users to stop blindly trusting websites and start using browser add-ons that stop scripts, block ads and force HTTPS – a secure version of the web’s underlying protocol – everywhere.

The Australian-led research will be presented to key players in the web’s future development at The Web Conference in San Francisco.


Like This