Majority of web services and mobile APIs are unsecure

More than 60 percent of web services, or mobile app APIs have at least one high-risk vulnerability, which can potentially lead to a compromised database. Those are the results of a new and comprehensive report by High-Tech Bridge, summing up the trends in web security for the past six months.

The report also says that in case a website is vulnerable to cross-site scripting (XSS), it is also vulnerable to other critical flaws, in at least 35 percent of cases. Other vulnerabilities include SQL injection, XXE or improper access control.

When it comes to HTTPS encryption, 23 percent of websites still use deprecated SSLv3 protocols, mostly in the UK, US, Germany, France and Russia. A stunning 97 percent of sites are still using the unsecure TLS 1.0 protocol, restricted by PCI DSS from June 2018.

The report says that just 0.43 percent are vulnerable to Heartbleed, but almost a quarter (23 percent) are still vulnerable to POODLE.

"The easiest and fastest to hack, insecure web applications are becoming the major threat across the Internet", says Ilia Kolochenko, CEO and founder of High-Tech Bridge.

"Aggravated by weak web server configuration and unreliable SSL/TLS encryption, vulnerable web applications are actively exploited by cybercriminals to conduct APTs against multinationals and governments, as well as to extort ransom from individuals or SMBs".

Domains with .com and .org in the top level are the most common among fraudulent domains, while the US, Poland and Singapore remain the most popular countries for hosting such sites.

Published under license from ITProPortal.com, a Net Communities Ltd Publication. All rights reserved.

Photo credit: liuwenhua / Shutterstock