Are you an internet privacy fanatic? Do you block browser tracking cookies? Do you use Duck Duck Go for anonymous web searches? It doesn’t matter now.
Your internet service provider (ISP) or your browser extensions can collect and sell your web-browsing history even if you take the above precautions. And anyone who obtains that data, whether the data is anonymized or not, will likely be able to figure out your real name and see exactly what you do online.
Back in March the well-publicised repeal of Obama’s broadband privacy regulations made headlines everywhere. Published under H.Res.230 it allowed for ISP’s in the United States to no longer seek consent for collecting and marketing user information.
Interestingly, there was little focus on the middleman in all of this: the data broker. Data brokers can come in all shapes and sizes but generally buy and sell user data of all types, ranging from specific marketing opt-in data on a website to more mundane data that is already public (such as births, deaths, divorces, etc.).
Infosecurity carried out a study on the effectiveness of the blockers.
Of the top 100 data brokers, only 25% utilize some kind of encryption on the landing page. It improves when they get to a login page and gets bumped up to 50% but this is still poor.
The encryption scores are mixed with only 50% of those using encryption actually getting an ‘A’ score on SSL Labs. To make things worse, several data broker sites are vulnerable to ‘session fixation’. This means that the session cookie you are dealt with on the landing page is identical to the one you’re issued after successfully logging in.
Onto other vulnerabilities. Although infosecurity have only covered 20 data-brokers so far, two SQL injections (SQLi) were discovered on two separate sites.
Ignoring that it might be possible to escalate these to remote code execution, they give access to a substantial number of records. Combined, these two brokers cover in excess of 20 billion separate records.
Client-side vulnerabilities are even more prevalent. Out of the first 20 sites, Infosecurity have cross-site scripting (stored, reflected and DOM-based) in 10 out of 20 data brokers. One notable stored cross-site scripting is exposed on a site that has over 10,000 daily visitors on the landing page. Worse still is the presence of some of these on the actual payment pages themselves.
So what does this all mean? Firstly, data broker protective measures are woeful, mainly consisting of security-as a-service offerings and security seals, which are not effective countermeasures on their own but best placed in a defense-in-depth stack. The fact that most sites don’t even implement transport layer security as standard shows the lag they have with the security of mainstream sites today.
Secondly, it means we are now entering the age of the mega breach. In the way that breaches in the hundreds of millions of records are becoming the norm today, we will soon become accustomed to breaches containing billions of records a few years from now.
Lastly, this is an area crying out for regulation. Opening up access to larger and larger pools of consumer data should bring with it corresponding shifts in security obligations, which are sadly lacking today – at least in the United States. Until then, it’s watch and wait.