Web cache deception (WCD) attacks are still a significant security issue nearly two years after first being documented, new collaborative academic research shows.

A joint study from experts at the University of Trento in Italy, US-based Northeastern University and Akamai Technologies found that at least 25 of the Alexa Top 5000 websites are impacted by the attack.

These sites collectively have substantial numbers of users that are being left vulnerable to the theft of personal information from their accounts.

WCDs were first discovered by security researcher Omer Gil in February 2017. His research found that many popular websites were caching pages that contained a user’s personal information and storing them within a website’s internet-accessible CDN, allowing anybody to access the data without first logging in.

The cached content often included pages exempt from a website’s internal caching procedures, such as account setting sections and financial details.

The exploit involves tricking a web cache into storing non-cacheable objects by convincing a user to access a URL that combines a legitimate dashboard URL with a non-existent file using any of more than 40 different file extensions.

This forces a website’s CDN to cache the user’s personal dashboard and all the data included inside. Attackers can then retrieve the data by accessing the booby-trapped URL.

At the time of its discovery, Gil tested 30 popular websites and found that three were vulnerable to such attacks, including PayPal.

This latest research involved applying the same testing method to a sample of the Alexa top 5000 websites, and by testing not just file-based but other forms of malformed URLs.

Testing was conducted twice over a 14-month period. During the first test, 295 websites were selected that had a backend storing sensitive data. During the second, this was expanded to 340.

After completing both tests, a total of 25 high traffic sites were found to be vulnerable to WCD attacks.

“Our second experiment showed that in the 14 months between our two measurements, only 12 out of 16 sites were able to mitigate their WCD vulnerabilities, while the total number of vulnerabilities rose to 25," the report states.

“One reason for this slow adoption of necessary mitigations could be a lack of user awareness. However, the attention WCD garnered from security news outlets, research communities, official web cache vendor press releases, and even mainstream media also suggests that there may be other contributing factors.”

The report identifies potential factors including a lack of official tools to check if a user’s CDN configuration is vulnerable to attacks, as well as the complexities associated with testing various CDN configurations.

“We do not believe that these observations implicate CDN vendors in any way, but instead emphasise that CDNs are not intended to be plug-and-play solutions for business applications handling sensitive data,” the report states.

“All CDNs provide fine-grained mechanisms for caching and traffic manipulation, and site owners must carefully configure and test these services to meet their needs.”