But first, what is a Web Cache Deception attack?
Many websites cache pages that contain user’s personal information. These pages are stored inside the content delivery network (CDN) of the website.
These attacks were initially disclosed in early 2017 by security researcher Omer Gil. During this time out of 30 popular websites, only 3 were found to be impacted by this attack.
This attack is not just restricted to web-related files such as CSS or JS. More than 40 file extensions can be targeted by attackers.
The current scenario
Researchers noticed that 25 of the Alexa Top 5,000 websites were impacted by the Web Cache Deception attack.
“One reason for this slow adoption of necessary mitigations could be a lack of user awareness. However, the attention WCD garnered from security news outlets, research communities, official web cache vendor press releases, and even mainstream media also suggests that there may be other contributing factors,” said the research team.
With CDNs offering detail-oriented mechanisms for caching, they must be configured with care to ensure protection from such threats.