Feroot Security Finds 78% Percent of Corporate Websites Expose Sensitive User Data to Data-Harvesting Pixels & Trackers

Feroot Security Inc., the leader in client-side security and privacy of web applications, announces the public release of a 2023 Feroot Client-Side Security Report – Beware of Pixels & Trackers, that focuses on the risks associated with data-mining companies’ use of pixels and trackers that load into browsers from websites.

The study found alarming data collection and transfer practices by companies like ByteDance’s TikTok, Meta’s Facebook and others, even when users have never signed up or granted explicit consent to their platforms.

Web pixels/trackers are like tiny versions of the giant spy balloon that the US AirForce shot out of the sky. These tiny “spy balloons” are embedded into websites people use on a daily-basis for tasks like renewing a driver’s license, scheduling doctor visits, or paying bills online.

To better understand the scale of these security and privacy concerns, Feroot Security conducted an in-depth eight week analysis between December 2022 and February 2023. The research focused on mission-critical webpages, such as those with login, account creation, registration, or credit card processing functions, where sensitive user data is most likely to be present (e.g., usernames, passwords, SSNs, credit card numbers, phone numbers, addresses, health records, etc.).

Utilizing its client-side web application security platform, Feroot Security analyzed 3,675 organizations across seven sectors, including airlines, e-commerce, financial services, healthcare, and US federal and state governments. The investigation encompassed 108,836 unique web pages, uncovering 227 unique pixels/trackers, including those from social media giants. The study also detected over 7 million unique outbound data transfers and discovered more than 1 million scripts and libraries as part of the client-side software supply chain.

Marketing Technology News: MarTech Interview with Sonja Kristiansen, Chief Business Officer at TripleLift

Key findings of the research include:

• An average of 13.16 pixels/trackers were found per website, with Google, Microsoft, Meta (owner of Facebook), ByteDance (owner of TikTok), and Adobe being some of the top collectors of user data.
• 5.86% of websites had pixels/trackers on mission-critical webpages, increasing the likelihood of privacy risks.
• Approximately 5% of the data transferred by pixels/trackers from US-based websites is sent outside of the US.
• Majority of pixels/trackers collect and transfer user data without explicit consent from the visitors.
• TikTok Analytics (a ByteDance tracker) was on 7.41% of the analyzed websites.

The research also discovered that pixels/trackers associated with ByteDance (owner of TikTok) and Meta (owner of Facebook) are among the top companies collecting and transferring user data, even from mission-critical webpages. In addition, Feroot’s research found that pixels/trackers load from domains that have already been banned by Executive Orders issued by the US Federal Government and various US States, thus exposing organizations to risks including spying by foreign nations, privacy compliance violations and data loss.

This report provides insights for compliance, privacy, legal, AppSec, and cybersecurity teams to be equipped with the necessary knowledge to identify and assess the impact and likelihood of risks that may be introduced by pixels/trackers. Additionally, the report helps prevent data leakage, theft/misuse, business loss, penalties, fines, litigation, and recovery costs resulting from client-side security issues caused by pixels/trackers.

Marketing Technology News: 3 Reasons Why CTV Advertising Will Boom in 2023