Your personal info can be stolen thanks to loads of vulnerable web apps

News
By Lewis Maddison
published

The amount of exploitable web apps is alarming

Person writing on computer.
(Image credit: Glenn Carstens-Peters / Unsplash)

A large amount of web-based apps are vulnerable to attack, putting users' Personal Identifiable Information (PII) at risk.

This is according to new report by CyCognito, who found that 74% of such apps contained PII that was vulnerable to known major exploits, such as those related to Apache Superset, Papercut, MOVEit. 11% included flaws that were easy to exploit, ranging from misconfiguration, the lack of HTTPS encryption, and no deployment of a cloud firewall (WAF).

The report also found that an enterprise usually has more than 12,000 web applications, and more than 3,000 of them have at least one flaw that can be exploited. 50% of these vulnerable apps are also hosted in the cloud. And in another twist, an alarming 98% are potentially not compliant with GDPR as users are unable to opt out of cookies. 

Widespread problem

CyCognito's report seems to support analysis conducted by SANS Institute and Akamai last year, which found that 2022 set a new record for cyberattacks on applications and APIs. 

CyCognito CEO Rob Gurzeev alluded to the now infamous MOVEit breach which continues to affect organizations, seeing it as a salutary lesson for CISOs on the importance of cloud security. 

read more

> MOVEit Transfer has a major security issue - here's what you need to know


> Personal and employee data is a goldmine for hackers


> Google wants to help remove your personal details from its search results

He said that as, "a company’s attack surface fluctuates up and down by as much as 10 percent a month," it makes it a "moving target rife with security gaps ready to be exploited."

“Our latest research is not only a wake-up call that no business is immune to risk; it’s also clear proof that unknown and undiscovered assets present a major threat to an organization,” he added.

Callie Guenther, cyber threat research senior manager at Critical Start, commented on the sheer scale of PII exposed to breaches: "If 74% of assets with PII are exposed to at least one known major exploit, and 10% have an easily exploitable issue, it paints a concerning picture of the current state of external exposure management."

And Darren Guccione, CEO of Keeper Security, explained the problem with PII falling into the hands of criminals, as it can be "used nefariously for fraud and sold to bad actors on the dark web," adding that, "the FTC received 761,660 imposter scam fraud reports in the US in 2022 alone – resulting in nearly $3 billion in losses."

Lewis Maddison
Reviews Writer

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, including speakers and headphones, having spent over a decade exploring the murky depths of audio production and PC building. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.