Web Trackers: Your Next JavaScript Security Nightmare

A “frightening, problematic and potentially illegal” problem.

When it comes to safety and health care, most patients expect, at the very least, doctor-patient confidentiality. If web trackers are embedded in JavaScript on a healthcare website, you expect complete security. I mean, you shouldn’t have to worry about someone working at Facebook knowing your personal health information, like details of a doctor’s appointment, right?

Well… that might not be the case according to the findings of a recent study conducted by The Markup, a non-profit newsroom that studies “how powerful institutions are using technology to change our society. “.

The study looked at Newsweek’s top 100 US hospitals. On a third of the websites, the researchers found a Facebook tracker, called Meta Pixel, sending highly personal health data to Facebook each time the user clicked the “book an appointment” button. Since the data is connected to an IP address, the IP address and appointment information is transmitted to Facebook.

Web trackers.  Your next JavaScript security nightmare.
Web trackers placed in the wrong place can create a serious data breach scenario.

So Facebook knows the day and time when I go to the doctor. What’s the big deal?

Well, for starters, it’s not just the day and time for sending trackers like these. In the case of this study, the researchers found that web trackers sent Facebook the following information, depending on how the tracker was structured on the webpage:

  • Doctor’s name
  • Search term used to find doctor’s name
  • Health conditions selected from drop-down menus (e.g. pregnancy or Alzheimer’s)

The researchers also found the Meta Pixel Facebook tracker installed in password-protected patient portals. Data collection from private patient portals included:

  • Patient Medication Names
  • Descriptions of allergic reactions
  • Details of upcoming doctor’s appointments.

Additionally, Meta Pixel data packets include the User’s IP address which may be used, in combination with other User Data, to identify the individual or household. The Healthcare Insurance Portability and Accountability Act (HIPAA) lists the IP address as one of several identifiers (along with such things as name and address) which, when linked to information about the state of health of a person, are considered protected health information (PHI).

Web trackers and security: These healthcare providers are likely violating HIPAA (with help from Facebook)

Big data and healthcare experts describe the prevalence of web trackers capturing sensitive patient information as a “frightening, problematic and potentially illegal” security issue. Researchers in this study consulted with health data security experts, former health regulators, and privacy advocates, all of whom believed the hospitals in question likely violated HIPAA.

The Health Insurance Portability and Accountability Act (HIPAA) protects sensitive health information (known as PHI) from disclosure without the consent or knowledge of the patient. In accordance with regulations, PHI can only be shared when the patient has given prior consent or under certain contracts. It appears that neither the hospitals nor Facebook (Meta) had such contracts in place, suggesting that the hospitals were publishing and that Facebook was capturing this information without patient consent.

A spokesperson for Facebook’s parent company, Meta responded to researchers with a brief email saying that Meta’s systems are designed to filter out potentially sensitive health information that may be mistakenly submitted through the use of their tools. commercial. However, a survey in 2021 found that the Meta filtering system “did not yet work with full accuracy”. A subsequent investigation by researchers at The Markup found that Meta’s health information filtering system did not, in fact, block information about health conditions and appointment types (e.g. pregnancy or Alzheimer’s).

Internal Facebook employees were more candid about the effectiveness of the company’s tools for filtering sensitive information. According to a leaked 2021 statement from a Facebook engineer, “We do not have an adequate level of control and accountability over how our systems use data, and therefore cannot confidently make changes. policies or external commitments such as “we will not. use X data for Y purposes.”

What are web trackers?

Web trackers, like “Meta Pixel”, use code to track users’ online activity, as they browse a website or as part of web browser activities. Tracking includes the buttons the user clicks, the information he enters into forms and the pages of the site he visits.

It is important to note that Meta Pixel is not the only web tracking tool. Apart from cookies, web beacons, fingerprints (browser fingerprints), super cookies, embedded scripts and cross-site trackers are other types of web trackers. Many companies use trackers for targeted advertising and social media, including Twitter, Google, Facebook, Amazon, AppNexus, and ComScore. While many trackers are used purely for advertising purposes, others are used to track user behavior and analytics.

Web Trackers: A JavaScript Security Nightmare

Since web trackers involve code embedded in the front-end or client-side of a website, there are significant implications for JavaScript security. Companies use web trackers to collect as much information as they legally can about their users. For the vast majority of companies, this information is nothing more than aggregated data in website analytics for advertising or search engine optimization (SEO) purposes. However, if trackers are embedded in the wrong place, near patient health or financial forms or near identification and login information, companies risk not complying with regulations and standards and seeing customer information. very sensitive falling into the wrong hands.

If web trackers are embedded in the wrong places (near patient health or financial forms or near identification and login information), companies risk not complying with regulations and standards and seeing information very sensitive customer falling into the wrong hands.
Web trackers pose compliance and data breach risks.

When it comes to web trackers and JavaScript security, should you be worried?

The long and short answers are both yes. First, misused web trackers could lead to significant regulatory violations including HIPAA, General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS) and others. Sanctions for compliance violations include fines and reputational damage.

Even more concerning, a recent study by several researchers from Radboud University and the University of Lausanne found that thousands of websites among the world’s top 100,000 were leaking information entered into site forms. This information included “personal IDs, email addresses, usernames, passwords, or even messages typed into forms, then deleted and never actually submitted.” While the trackers themselves were intended only to monitor end-user activity or determine anonymous user preferences, as the tracker code was embedded near areas that collected sensitive data, the User activity and sensitive information was ultimately sent to third parties. This presents serious privacy and security concerns, as no one wants their username and password data disclosed to employees working at third-party advertisers.

How can companies improve the security of Web Tracker?

To improve the security associated with web trackers, organizations should apply JavaScript security best practices to the development and AppSec lifecycles. Key steps include using automated monitoring and inspection to avoid the time and hassle associated with manual code reviews. A purpose-built solution that automates the process can be a quick and easy way to identify unauthorized scripting activity. Additionally, an automated Content Security Policy (CSP) tool can help organizations better manage policies and vulnerabilities within policies on their web applications. Automated CSP tools identify all of your proprietary and third-party scripts, digital assets, and the data they can access. The tool then generates appropriate content security policies based on the analyzed data and predicted effectiveness.

The post Web Trackers: Your Next JavaScript Security Nightmare appeared first on Feroot.

*** This is a Feroot Security Bloggers Network syndicated blog written by the Feroot Security Team. Read the original post at: https://www.feroot.com/blog/web-trackers-your-next-javascript-security-nightmare/

Comments are closed.