Is your frontend leaking data to third parties? The top 1000 websites are.

Julian Cohen
3 min readNov 8, 2024

--

We scanned the top 1000 domains from Cloudfare Radar. If you’re not sure about your third parties, use https://wpdc.org/ to monitor your frontend.

Background

Accidental leaks to third parties (like advertising tracking pixels, behavior analytics, application performance and error monitoring, CRMs, marketing tools, revenue analytics, and more) from web frontends have been emerging for years with regulators like the FTC even warning companies about them!

Aside from the obvious breach implications from leaking sensitive customer data to unauthorized third parties, there are now explicit requirements from regulators and compliance frameworks such as HIPAA and PCI.

DALL·E — A colorful and dynamic abstract cartoon illustration depicting websites leaking data to third-party services.

Corpus

We scanned the top 1000 domains from Cloudflare Radar from 2024-10-21 to 2024-10-28. Of the top 1000 domains, 554 were serving webpages. Findings are as of Monday, November 4, 2024.

Top Findings

  • 102 out of 554 (18%) websites sent form data to a third party.
  • 297 out of 554 (54%) websites used to the top 10 most popular non-advertising tracking and analytics third parties (listed below). 294 of these websites (53%) sent visitor analytics to these third parties.
  • 26 out of 554 (5%) websites used out of date, vulnerable third party JavaScript libraries.
  • 193 out of 554 (35%) websites used obfuscated inline JavaScript. 454 out of 554 (82%) websites used obfuscated third party JavaScript.

Interesting Findings

  • 7 websites (1%) used Content-Disposition to load their webpages (but did not download a file).
  • 1 website downloaded an empty file.
  • 59 websites (11%) have X-XSS-Protection set to 0.

Third Parties

  • 10 most popular third parties are:

googletagmanager.com, used on 314/554 (57%) websites.
google.com, used on 289/554 (52%) websites.
doubleclick.net, used on 243/554 (44%) websites.
google-analytics.com, used on 200/554 (36%) websites.
linkedin.com, used on 163/554 (29%) websites.
gstatic.com, used on 153/554 (28%) websites.
licdn.com (LinkedIn), used on 149/554 (27%) websites.
facebook.com, used on 148/554 (27%) websites.
facebook.net, used on 138/554 (25%) websites.
googleapis.com, used on 136/554 (25%) websites.

  • 10 most popular non-advertising tracking/analytics third parties:

google-analytics.com, used on 200/554 (36%) websites.
marketo.net/mktoresp.com (Adobe Marketo), on 72/554 (13%) websites.
demdex.net (Adobe Audience Manager), used on 62/554 (11%) websites.
clarity.ms (Microsoft Clarity), used on 57/554 (10%) websites.
6sc.co (6sense Revenue AI), used on 45/554 (8%) websites.
hubspot.com/hs-analytics.net (Hubspot), used on 44/554 (8%) websites.
zoominfo.com, used on 40/554 (7%) websites.
hotjar.com, used on 39/554 (7%) websites.
go-mpulse.net (Akamai mPulse), used on 32/554 (6%) websites.
company-target.com (Demandbase), used on 32/554 (6%) websites.

While these are the most popular third parties used by 554 of the top 1000 domains, they aren’t the only ones. Here are some other third parties you might want ensure you aren’t sending sensitive data to:

Conclusions

The top websites in the world are sending sensitive data to third parties. Many of the top technology companies have their own internal tracking and analytics platforms, so it’s probable that smaller organizations and non-technology organizations may have a higher rate of using and sending sensitive data to third parties.

If you want to monitor your websites for sending sensitive data to third parties, sign up for a free trial of wpdc here: https://wpdc.org/register

--

--

Julian Cohen

Risk philosopher, CISO, Program builder, Advisor, Investor, Ex-vulnerability researcher, Ex-CTF organizer and competitor.