Top 50 UK websites expose your browser to unknown scripts
How much risk are you facing just by visiting a website? Do you know what scripts are running and which other sites they're pulling data from?
Malware prevention company Menlo Security scanned the Alexa top 50 UK websites to find out what their users were being exposed to. The findings show that on average, when visiting a top 50 UK site, your browser will execute 19 scripts.
It found that eight percent of the top 50 sites executed more than 50 scripts and that the top UK website ran a startling 125 unique scripts when requested. 72 percent of the top 50 sites executed fewer than 20 scripts, and one of the top 50 used just a single script. Two of the top three sites on the list are news websites.
What's also interesting is the amount of data being downloaded. 62 percent of sites downloaded less than 1MB of code, however, one media site downloaded 4.9MB. Media sites hold the top two places for the amount of downloaded code followed by social media sites making up the top five.
In addition the scan looked at the back end code of the sites and found 15 of the top 50 sites were running vulnerable versions of web-server code. Microsoft IIS version 7.5 was the most prominent vulnerable version reported, with known vulnerabilities going back more than five years.
"There are many legitimate reasons why developers use scripts to enhance the user experience of a website today, but similarly attackers can use scripting capabilities for iframe redirects and malvertising links to compromise browsers", Jason Steer, Menlo Security solutions architect of EMEA says, writing on the company's blog. "The main takeaways show that going to any popular website is now associated with some risk, as we see play out in numerous media stories every week. Knowing that visiting a top 10 site means that I'm allowing my browser to execute more than 25 scripts according to our data (that’s 25 scripts that may or may not be well written and/or secure), is a concern. What's more is that going to a top 25 UK website exposes my browser to more than 100 scripts without any knowledge of how good or bad they may be, and from over 50 unique websites in the background".
Tests were carried out against the Alexa Top 50 UK sites on October 15th using a 64-bit version of Chrome.