You may have heard about the Ticketmaster data breach earlier this summer. You probably also have heard about the British Airways data breach at the start of this month. A new breach at another large online marketplace using the same technique shows that vulnerable shopping carts are being exploited more and more. If you operate some kind of eCommerce site, where you have a checkout that collects credit card details for orders, then you need to check if you have been potentially compromised.
What caused these vulnerable shopping carts?
Basically the bad guys are sneaking in via plugins to the websites. It was very similar to how crypto-currency mining code infiltrated UK government websites earlier this year. In the case of the vulnerable shopping carts of Newegg, they plugged their nasty code into the “Feedify” plugin. This plugin is used to gather feedback from customers.
So when a customer browsed to the Newegg site, the webserver loads up the website. It then goes and brings in the code from the plugins. The Feedify plugin that was compromised gets loaded and the malicious code starts monitoring. It’s waiting for credit card information to be typed in. Once it gets that, it sends it off to the evil doers, a hacking group called Magecart. This code was used to compromise the “Inbenta” customer service plugin with Ticketmaster and the “Modernizr” plugin for BA.
So how can I protect my website from this?
Well, you’ll need your web-person to do a couple of things.
- Define a Content Security Policy (CSP) for your website
- Set-up Sub Resource Integrity (SRI) verification of your website plug-ins
CSP will basically state the trusted locations that your website can load plugins from, so make sure these are set for your own site and that of your payment provider.
SRI is where you generate a “hash” (a unique code based on the content of an item) for your plugins when you create the site. When the plugin gets loaded by the browser of a customer, the plugin gets re-hashed and if the value does not match the original hash, then it has been altered.
You can get more details on CSP and SRI from Scott Helme’s blog.
In the meantime, #LetsBeCarefulOutThere.