Your personal info can be stolen thanks to loads of vulnerable web apps

Person writing on computer.
(Image credit: Glenn Carstens-Peters / Unsplash)

A large amount of web-based apps are vulnerable to attack, putting users' Personal Identifiable Information (PII) at risk.

This is according to new report by CyCognito, who found that 74% of such apps contained PII that was vulnerable to known major exploits, such as those related to Apache Superset, Papercut, MOVEit. 11% included flaws that were easy to exploit, ranging from misconfiguration, the lack of HTTPS encryption, and no deployment of a cloud firewall (WAF).

The report also found that an enterprise usually has more than 12,000 web applications, and more than 3,000 of them have at least one flaw that can be exploited. 50% of these vulnerable apps are also hosted in the cloud. And in another twist, an alarming 98% are potentially not compliant with GDPR as users are unable to opt out of cookies. 

Widespread problem

CyCognito's report seems to support analysis conducted by SANS Institute and Akamai last year, which found that 2022 set a new record for cyberattacks on applications and APIs. 

CyCognito CEO Rob Gurzeev alluded to the now infamous MOVEit breach which continues to affect organizations, seeing it as a salutary lesson for CISOs on the importance of cloud security. 

He said that as, "a company’s attack surface fluctuates up and down by as much as 10 percent a month," it makes it a "moving target rife with security gaps ready to be exploited."

“Our latest research is not only a wake-up call that no business is immune to risk; it’s also clear proof that unknown and undiscovered assets present a major threat to an organization,” he added.

Callie Guenther, cyber threat research senior manager at Critical Start, commented on the sheer scale of PII exposed to breaches: "If 74% of assets with PII are exposed to at least one known major exploit, and 10% have an easily exploitable issue, it paints a concerning picture of the current state of external exposure management."

And Darren Guccione, CEO of Keeper Security, explained the problem with PII falling into the hands of criminals, as it can be "used nefariously for fraud and sold to bad actors on the dark web," adding that, "the FTC received 761,660 imposter scam fraud reports in the US in 2022 alone – resulting in nearly $3 billion in losses."

Lewis Maddison
Staff Writer

Lewis Maddison is a Staff Writer at TechRadar Pro. His area of expertise is online security and protection, which includes tools and software such as password managers. 

His coverage also focuses on the usage habits of technology in both personal and professional settings - particularly its relation to social and cultural issues - and revels in uncovering stories that might not otherwise see the light of day.

He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.