New research indicates that many of the most popular online shopping sites are vulnerable to a simple SSL vulnerability that could see them under attack from hackers ahead of Black Friday and Cyber Monday, two of the largest e-commerce events of the year.
The investigation team at CyberNews analyzed the web servers of 2,620 popular online shopping domains for SSL configuration security, as well as their susceptibility to known vulnerabilities related to the SSL encryption protocol, and collected some concerning results.
“We were shocked to discover that 30% of the 2,620 e-commerce businesses we analyzed appear to have overlooked one of the most basic security precautions, which in turn made their web servers susceptible to the BEAST attack,” senior writer and researcher at CyberNews Edvardas Mikalauskas explained.
“This attack allows the bad guys to intercept the connection between an online shop and its customer and steal the user’s authentication credentials and payment details. Such an oversight is bad news for everyone involved except the criminals themselves. This is especially disheartening to see in a time of a global pandemic, when so many people have no choice but to go online for their shopping needs. To avoid putting their customers in danger, e-commerce businesses should take a more proactive approach to security by performing regular stress tests and checkups.”
Beware of the BEAST
The BEAST attack that Mikalauskas mentions works because of weaknesses with the encryption provided by Transport Layer Security (TLS) 1.0, a security protocol that serves as a successor to SSL This enables an attacker to access all the information traveling between a web browser and a web server.
There was some good news uncovered by the security researchers, however. Nearly all (99%) online shopping servers had good SSL configurations and just 0.6% and 0.008% remain susceptible to the POODLE and DROWN vulnerabilities respectively.
However, the BEAST findings indicate that security risks are still present within the e-commerce landscape and something that more online shopping sites and web hosting providers could improve upon.