The dark side of online shopping: Vulnerabilities, exploits, threats, and risks

November 29, 2020
dark side of online shopping exploits threats risks vulnerabilities

Online shopping is part of the new normal. With the pandemic catastrophe that we are facing, physical stores are moving their products online. Great deals and offers are widely marketed online via various shopping websites. Black Friday, Cyber Monday, Cyber Week, Free shipping day, and Super Saturday are just some of the companies’ discounts during this Holiday season.

Holidays make companies more susceptible to cyber-attacks. “What are the dangers of shopping online? Is it safe to shop online? Can I get hacked while shopping?” These are just several of the few questions of online shoppers. As we all know, hackers are everywhere, and this holiday season is their most wonderful time of the year to ramp up their malicious activities.


Online Shopping Websites are at risk to cyber-attacks

Each domain should have website security to protect them from cyber-attacks. It is a continuous and vital process when managing a website. Testing your website for common website vulnerabilities and threats such as SQL Injections, Cross-site Scripting (XSS), Credential Brute Force Attacks, Website Malware Infections & Attacks, DoS/DDoS Attacks should be part of the unending process to assess and reduce the overall risk of your domain.


Is your favorite shopping website safe from hackers?

According to research, 30% of the top online shopping websites are exposed to known SSL vulnerabilities. SSL stands for Secure Socket Layer. It is used to secure card transactions and account logins by providing an encrypted connection from the browser to server and server to server communication. A total of 2,620 online shopping websites are tested using Qualys SSL Server Test – a free online platform that conducts an in-depth assessment of SSL web server configuration.


dark side of online shopping image 1



The test conducted can detect if the certificate of the website is valid and trusted. It also inspects the server configuration using the categories protocol support, essential exchange support, and cipher support.

The websites were also tested for the common SSL vulnerabilities such as BEAST, POODLE, and DROWN, and unluckily most of the shopping sites are NOT SAFE from the attacks. Seven hundred seventy-three (773) websites or 30% of the 2,620 sites were vulnerable to BEAST attack. BEAST stands for Browser Exploit Against SSL/TLS, allowing a man-in-the-middle to reveal data from an encrypted SSL/TLS 1.0 session. A total of 17 domains are vulnerable to POODLE (Padding Oracle on Downgraded Legacy Encryption) attack that uses the vulnerabilities of SSL 3.0 protocol to eavesdrop on an encrypted connection and steal confidential data such as password, credit and debit card information, and session cookies. And only two (2) domains are inclined to DROWN (Decrypting RSA using Obsolete and Weakened Encryption) attack that exploits SSLv2 and export cipher suites’ vulnerabilities.

Overall, SSL is not enough to secure your website. Creating a website security framework is a security responsibility of domain owners. Identify, Protect, Detect, Respond, and Recover are the policies, procedures, and processes that should be created to manage the risk.

About the author

Leave a Reply