- Статьи
- Internet and technology
- Exclusion zone: half of the substitutes for mobile applications in the Russian Federation are unsafe
Exclusion zone: half of the substitutes for mobile applications in the Russian Federation are unsafe
Almost half of the programs that have replaced iOS apps are vulnerable to data leaks from their users. This was told to Izvestia by information security specialists. It is often easy to access data in these programs without permission, and they are extremely poorly protected from hackers, market participants say. Businesses need to quickly fix the situation, otherwise they face millions in fines — at the end of May, penalties for leaking personal data in the Russian Federation will be tightened, lawyers remind.
What are the dangers of web applications for users?
Almost half (46%) of Russian web applications contain critical vulnerabilities that can lead to data leakage. This follows from the materials of the Solar company (part of Rostelecom), Izvestia has reviewed the documents. These gaps are dangerous not only for private users, but also for corporate users if the web application provides access to the company's information systems, such as mail. More than half of the analyzed such programs of Russian companies were marked by a low and medium level of security, the company added.
Web applications are computer programs that run directly in the browser. Unlike mobile services, they do not need to be downloaded to users' devices, and there is also no need to install special applications. They can be used to make payments, subscribe and cancel subscriptions, order goods, work with documents, and much more. Classic examples are online banking, online shopping, and cloud services for working with files and documents.
For example, the main vulnerabilities in financial web applications that hackers are always interested in are lack of access control, which is a problem that occurs in 78% of cases, Solar told Izvestia. In this situation, unauthorized third parties and intruders may receive information.
— The lack of control over the access rights of employees can lead to the fact that an internal or external violator gets illegal access to a wide range of information. Let's say a bank employee receives information about the movement of all customers' accounts and can use such data for malicious purposes," the company noted.
They also cited insufficient encryption, insecure processing or storage of confidential information such as credit card numbers, passwords, or customer personal data among the problems of web applications.
A web application is an easy way for a business to connect with a client: you don't need to spend hundreds of thousands of dollars on developing a mobile service, placing it in an online store and promoting it, said Igor Bederov, director of the T.Hunter Investigations Department. At the same time, web applications, unlike downloaded mobile applications, do not transfer user data to developers.: they do not connect to microphones, GPS, etc., the expert noted. Now they are used by banks and social networks, as well as by very small market participants, for whom spending on mobile programs is not always justified, the expert added.
The most common problem with web applications is their unavailability: the user simply cannot access a website or a specific page or perform any operation, says Rustem Khayretdinov, Deputy General Director of the Garda Group of companies. This happens regularly as a result of attacks on websites and can be caused either by the success of the attack or by the inclusion of harsh protection scenarios. So, when such options are enabled, the ability to access the site from abroad is often disabled, and the user, for example, is on vacation, he gave an example.
Successful attacks on companies' web applications can lead to malware infection on devices, for example, for remote access, says Anna Golushko, senior analyst at the Positive Technologies research group. In addition, hacked web applications can redirect users to various phishing sites. As a result, consumers face a number of serious consequences, such as leakage of confidential information, loss of funds, inclusion of the device in a botnet network, and others, the expert warned.
How much does a data leak cost?
In the first place among the vulnerabilities of high-risk web applications is the threat of unauthorized access to the user's personal account, and in the second place is the fraudster's access to functions and content, Leonid Konik, managing partner of Comnews Research, told Izvestia.
— At least half of web applications periodically leak personal data, and user IDs end up in the hands of intruders even more often. But downloaded mobile services are also dangerous," the expert points out.
The reason for their particular vulnerability is that they request access to various data — to the list of contracts, photos and videos on the device, to the location (and many thoughtlessly give such permissions), explains Leonid Konik. But often the application collects information without notifying the user at all, and it is usually transmitted through open channels.
— At the same time, it is difficult to prove the fact of leakage itself: with equal probability, personal and other data can be merged both from a web application and from a database of a government agency, in particular, from some state information system (GIS), the number of which in Russia exceeds only at the federal and regional levels. 4 thousand, — the expert believes.
Meanwhile, according to lawyers, responsibility for personal data leaks is being tightened in the Russian Federation.
Vulnerabilities are a problem that can be solved if they are detected in a timely manner and properly funded, but such work requires incentives, including sanctions, said Yaroslav Shitsle, head of IT & IP Dispute Resolution at Rustam Kurmaev & Partners Law Firm. Since the end of May this year, responsibility for violations of the law on personal data protection has been significantly tightened, he recalled.
— Responsibility for the leakage of personal data is ranked depending on the number of affected users: if the offense affected from 1 to 10 thousand people, the fine for a legal entity can be up to 5 million rubles, if from 10 thousand to 100 thousand — up to 10 million rubles, more than 100 thousand — up to 15 million rubles. If the offense is repeated during the year, then the legal entity may be subject to a turnover fine, which ranges from 1 to 3% of revenue," the lawyer notes.
In addition, liability is provided for failure to inform Roskomnadzor about the leak, in which case the fine will be up to 3 million rubles, the expert added.
As the Ministry of Finance noted to Izvestia, the changes were adopted in 2024. In particular, revolving fines for companies for repeated leaks of personal data will contribute to increased investment in the development of security infrastructure and protection of user information by businesses, the department noted. Last December, a new article of the Criminal Code of the Russian Federation aimed at protecting personal data of Russians also came into force. It tightens responsibility for theft and dissemination of stolen information, but it does not limit the work of information security specialists who investigate hacks and leaks, the ministry added. In addition, a law on combating cyberbullying was passed in April, which will create a special platform. It will help to prevent and suppress telephone and online fraud even more effectively, including responding promptly when phishing sites are detected, the Ministry of Finance said.
For businesses, a web application is the most effective way to attract and serve customers, which is why it is usually protected as a critical asset, according to Rustem Khayretdinov. Users need to ensure that they access the site from non-compromised devices and through a reliable channel. To do this, you need to install the latest operating system and browser updates, update antiviruses regularly, avoid accessing important sites via public WiFi, use and regularly change strong passwords and two-factor identification, and generally observe digital hygiene, he concluded.
Переведено сервисом «Яндекс Переводчик»
