Bad news if you’re one of the hundreds of millions of online banking users around the world. The chances are your bank’s website and web apps are horribly insecure.
Researchers at security firm Positive Technologies, which has a commercial stake in securing web apps, tested 33 websites and services using its proprietary application inspector, and found that banking and financial institutions were “the most vulnerable” to getting hacked.
Every financial site and web app the researchers tested contained a high-severity vulnerability, they said.
The researchers said in their report, published Monday, that they found XML external entity flaws and arbitrary file reading and modification flaws in about half of all the banking and financial sites they tested.
Read more: Phishing attacks: How hunting down fake websites is making life harder for hackers | If browsers are the new operating systems, why don’t they have the security to match? | Your website is under constant attack | It’s HTTPS or bust: How to secure your website | Guide: Online security 101: Tips for protecting your privacy from hackers and spies
In a worst case scenario, an attacker can remotely run code to compromise a vulnerable server — possibly leading to serious consequences for customers who expect their banks to keep their money safe.
The report also noted that 80 percent of tested sites are vulnerable to cross-site scripting (XSS) attacks, which lets an attacker run malicious code on a website or web application.
These flaws often aren’t considered high-severity and, though often easy to fix, are often treated with a lower priority. But they can be used to manipulate how sites look, tricking users into handing over sensitive information that gets silently forwarded to an attacker.
The banks and financiers at risk weren’t named, but the fact that there was a 100 percent rate of vulnerability for a sector that handles people’s money and finances doesn’t bode well for the entire financial industry.
And things don’t look that much better for other sites and web apps tested, including in the government sector.
The researchers said 85 percent of the web apps they tested had flaws that allowed attacks against users.
“A hacker can exploit these vulnerabilities to steal users’ cookies, implement phishing attacks, or infect user computers with malware,” the researchers wrote.
In the government space, cross-site scripting remained the leading point of attack, followed by HTTP response splitting. But in more than two-thirds of cases, hackers could exploit SQL injections that could reveal sensitive information from a database, and remotely run commands on a back-end server.
For some attackers, exfiltrating and stealing data or denying service to users is one thing. But more sophisticated hackers use weak entry-points to move laterally within a domain. If an attacker finds a local area network connection on a target server, they can move deeper into a network and compromise an entire company or government department’s infrastructure, the researchers said.
It’s how the massive data breach at Equifax is thought to have been carried out.
A takeaway is that preventative technologies, like web application firewalls, can be all good and well, but source code analysis should also be used in a web app’s development.
“Merely detecting vulnerabilities, of course, is not enough: developers have to make fixes to code and roll them out to production systems,” the report concluded. “Any delay in remediation means more opportunities for attackers.”