Sharp Rise in Client-Side Risks Exposes Gaps in Web Security, Reflectiz Report Finds
Reflectiz’s 2026 State of Web Exposure Research reveals a significant escalation in client-side risks across global websites, driven by unchecked third-party applications, marketing tools, and unmanaged digital integrations. The analysis of 4,700 leading sites found that 64% of third-party apps now access sensitive data without legitimate business justification a 25% year-over-year increase from 51% in 2025 highlighting a growing governance gap.
Public-sector infrastructure faces particularly severe threats, with malicious activity on government websites surging from 2% to 12.9%, while one in seven education sites shows active compromise, a fourfold increase. Budget constraints and understaffing were cited as key challenges for security teams in these sectors.
The report identifies widely used third-party tools as major contributors to unjustified data exposure, including Google Tag Manager (8%), Shopify (5%), and Facebook Pixel (4%), which are often over-permissioned or improperly configured. Marketing and digital teams account for 43% of all third-party risk, while IT teams frequently lack visibility into active website integrations.
Additional findings include:
- 47% of applications in payment frames (checkout environments) are unjustified.
- Compromised sites connect to 2.7× more external domains, load 2× more trackers, and use 3.8× more recently registered domains than clean sites.
- Only one website ticketweb.uk achieved a perfect score across Reflectiz’s eight security leadership benchmarks.
The full report provides sector-specific risk breakdowns, a list of high-risk third-party applications, year-over-year trends, technical indicators of compromise, and best-practice controls for security teams. The 43-page analysis is available for review.
Google cybersecurity rating report: https://www.rankiteo.com/company/google
"id": "GOO1769024286",
"linkid": "google",
"type": "Vulnerability",
"date": "6/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Public Sector',
'location': 'Global',
'name': 'Public-sector infrastructure (government '
'websites)',
'type': 'Government'},
{'industry': 'Education',
'location': 'Global',
'name': 'Education sites',
'type': 'Education'},
{'location': 'UK',
'name': 'ticketweb.uk',
'type': 'Website'}],
'attack_vector': 'Third-party applications, marketing tools, unmanaged '
'digital integrations',
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personally identifiable '
'information, payment data)',
'type_of_data_compromised': 'Sensitive data, payment '
'information'},
'date_publicly_disclosed': '2026',
'description': 'Reflectiz’s *2026 State of Web Exposure Research* reveals a '
'significant escalation in client-side risks across global '
'websites, driven by unchecked third-party applications, '
'marketing tools, and unmanaged digital integrations. The '
'analysis of 4,700 leading sites found that 64% of third-party '
'apps now access sensitive data without legitimate business '
'justification, a 25% year-over-year increase from 51% in '
'2025, highlighting a growing governance gap.',
'impact': {'data_compromised': 'Sensitive data accessed by third-party apps '
'without legitimate business justification',
'operational_impact': 'Increased malicious activity on government '
'and education websites',
'payment_information_risk': '47% of applications in payment frames '
'(checkout environments) are '
'unjustified',
'systems_affected': 'Global websites, particularly public-sector '
'and education sites'},
'investigation_status': 'Completed (Report Published)',
'lessons_learned': 'Unchecked third-party applications and marketing tools '
'pose significant client-side risks. Public-sector and '
'education sites are particularly vulnerable due to budget '
'constraints and understaffing. Improved governance and '
'visibility into third-party integrations are critical.',
'post_incident_analysis': {'corrective_actions': ['Improve third-party '
'governance',
'Enhance monitoring of '
'third-party access',
'Apply sector-specific '
'security controls',
'Adopt best-practice '
'frameworks for web '
'security'],
'root_causes': ['Unchecked third-party '
'applications',
'Improper configurations and '
'over-permissioned tools',
'Lack of visibility into website '
'integrations',
'Budget constraints and '
'understaffing in public-sector '
'and education sectors']},
'recommendations': ['Implement stricter governance over third-party '
'applications',
'Enhance visibility into active website integrations',
'Apply best-practice controls for security teams',
'Monitor and limit permissions for tools like Google Tag '
'Manager, Shopify, and Facebook Pixel',
'Conduct regular audits of third-party access to '
'sensitive data'],
'references': [{'source': 'Reflectiz *2026 State of Web Exposure Research*'}],
'title': 'Sharp Rise in Client-Side Risks Exposes Gaps in Web Security',
'type': 'Data Exposure',
'vulnerability_exploited': 'Unchecked third-party access, improper '
'configurations, over-permissioned tools'}