Top US credit unions have multiple web app security problems

Security researchers have discovered problems in the web applications deployed by the top ten credit unions in the US.

Researchers at Outpost24 analyzed the top US credit unions’ web application attack surface to evaluate their security. They found 1,224 publicly exposed web applications running over 107 domains, with 10% running on old components containing known vulnerabilities.

Outpost24 selected its US Credit Unions list based on a Segmint list of the Largest US Credit Unions by Assets. Researchers examined each union’s public-facing web security environments against the seven most common attack vectors hackers use during reconnaissance to ascertain a risk score between one and 100. The risk score comprised security mechanisms, page creation methods, degree of distribution, authentication, input vectors, active contents, and cookies.

The research found that the top three attack vectors against the US credit unions targeted active content technologies, followed by authentication and page creation methods.

“It’s no big surprise to see Active Content Technologies (ACT) as the biggest scorer. As soon as an application runs scripts, the attack surface could increase if a website has been developed using multiple active content technologies, some more vulnerable than others, to build and create their applications”, said Nicolas Renard and Stephane Konarkowski, security consultant at Outpost24.

Researchers said that, overall, the attack surface score for the top ten credit unions was 16.39 out of 58.24. However, research showed the worst offender from the top ten returned a disproportionately higher attack surface score of 34.08, outweighing everyone else on the list and showing a great disparity in the security posture between credit unions.

However, this score was significantly lower when compared to US retailers, which scored 48.3. According to the researchers, this is likely because of the highly regulated business model credit unions operate in that requires them to demonstrate a standard level of security hygiene to protect the company assets and customer data against cyber criminals.

Researchers also examined the components used to develop the web applications and discovered there were, on average, 17 open port 80 among the credit unions. They said this can be dangerous when the service listening on the port is misconfigured, unpatched, vulnerable to exploits, or has poor network security rules.

Researchers said it is essential for security teams to identify open ports and close unused ones or install firewalls on hosts to monitor and filter port traffic to “prevent any security issues from creeping in.”