Rui Ribeiro is the CEO and cofounder of Jscrambler, a leading company in client-side web security.
The pace of technological innovation is unrelenting, and companies are adopting innovations faster than ever, often to their detriment. In their eagerness to stay ahead, grow customer loyalty and drive revenues, many overlook the potential security risks inherent in these advancements, ultimately exposing themselves to cyber threats that can compromise sensitive data, disrupt operations, leak revenue and damage their reputation.
There are countless examples of this, and at the heart of many is a scripting language most of us are quite familiar with, JavaScript. When most people think JavaScript, what comes to mind is the World Wide Web. Created by Netscape’s Brenan Eich in 1995, JavaScript advanced the static web pages that were commonplace in the early days of the Internet in favor of the dynamic and interactive sites we know today.
The Promises And Perils Of JavaScript
Thirty years later, JavaScript allows digital businesses to tap into thousands of third-party digital solutions and introduce new client-side innovations that were previously only attainable to large companies with bigger budgets. These include chatbots, payment solutions, social media apps and more. This democratization of online innovation has exploded—today, nearly 100 percent of websites use JavaScript as their go-to client-side coding language.
But this innovation comes at a price. These innovations require businesses to add third-party scripts to their website and involuntarily allow them to have unmonitored and uncontrolled access to forms and data anywhere on the page. They can also be easily viewed and manipulated, creating vulnerabilities that sophisticated malicious actors can exploit to access sensitive information (PII, payment card data, etc.) and valuable company content.
Here’s a look at some of these capabilities, their benefits and the often unforeseen vulnerabilities they can expose.
AI-Driven Chatbots
Today’s chatbots bear little resemblance to earlier incarnations that leveraged scripted, preexisting data to provide assistance. Thanks to AI, chatbots now interpret human language and deliver personalized conversational experiences that help, inform and engage users across various platforms. This AI element is critical, and that is why investments are growing. According to Spherical Insights & Consulting, the chatbot market could reach $42.83 billion by 2033, up from $5.39 billion in 2023.
But here’s the catch. Since these chatbots are AI-driven, they consume vast amounts of data collected from websites to work well and provide meaningful answers. This could include data collected from client-side interactions, such as when end users pay or type in Personal Identifiable Information. But who is making sure these tools aren’t accessing information that customers thought was private, secure and protected?
And it’s not only being accessed, but it’s also being consumed, used and processed without the end user’s explicit permission. Further complicating matters, these chatbots use third-party tags, which allows them to collect proprietary and sensitive data from other sources such as analytics (e.g., Google Analytics), payment info (e.g., PayPal), multimedia (e.g., video players) and other social media services (e.g., Facebook). This is then fed into their AI engines, thus creating an even greater chance of costly data leaks. While this paints a very bleak picture, all hope is not lost. The key is setting clear boundaries that no third party or human can cross.
Payment Tags
The council’s newest PCI DSS v4 Requirements for Payment Pages introduced requirements to help merchants protect against and detect e-skimming attacks that typically target e-commerce websites and aim to steal customers’ credit or debit card details. They involve injecting unauthorized JavaScript code to steal sensitive information, such as payment card information, from website forms. The unauthorized scripts are sophisticated, mimicking legitimate functionalities and skillfully evading detection, and the impact can be significant.
For companies using or considering integrating payment third-party tags, following the steps outlined in v4 can mitigate these scenarios.
Social Media Tags
Similar to payment tags, many online businesses are using third-party JavaScript to add social media functionality to their websites to improve customer experience. For example, merchants can add social sharing buttons or embed social feeds from Facebook, YouTube, Twitter, Pinterest and Instagram that let customers share reviews, create under-generated style galleries and more.
This can strengthen consumer engagement, drive sales and raise brand visibility. But again, it comes at a cost because it places businesses in a precarious position with respect to data confidentiality—social media tags could pull confidential information off the website, putting a customer at risk while the business remains entirely in the dark.
One high-profile example occurred in 2022. That’s when The Mark Up, a nonprofit newsroom that investigates how institutions use technology to change society, discovered a tracking tool installed on the websites of 33 of the top 100 hospitals in the US. According to the site, the Mega Pixel tool collected patients’ sensitive health information whenever a person clicked a button to schedule a doctor’s appointment. This information was then sent to Facebook.
The Good News
Today, the average website has 60+ third-party scripts from various vendors. While each can unintentionally introduce vulnerabilities and put customers and businesses at risk, there are ways to mitigate these risks to deliver a new level of digital experience to customers.
This begins with a shift towards client-side solutions that give businesses control over the behavior of all third-party tags’ JavaScript. This control must be all-encompassing, spanning the entire company and including control over the data accessed and transferred by third-party tags. These solutions must rapidly cover all website pages, identify and control all third-party tags, and be applied in a fine-grained manner that allows business processes to continue without impacting the site’s performance.
As with any innovation, excitement about the potential benefits will draw attention from the possible risks lurking in the shadows. For some, these realities won’t be recognized until it’s too late. In the case of JavaScript, businesses should begin this journey with a strong understanding of client-side defense that helps provide the freedom to embark on these new innovative journeys without exposing them to these new perils.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?