Card-stealing code that pwned British Airways, Ticketmaster pops up on more sites via hacked JS

Lazy

Yeah, and this is why if you're concerned about security, or even functionality, you don't link to dynamic third-party libraries. Third party libraries that you don't have locally are subject to change.

Did people not pay attention two years ago, when removing 'left-pad' crashed Node?

https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/

"not carry any third-party code"

And how do you enforce this ?

As soon as you start putting a red box in the address bar for 2nd or 3rd party access, or not showing a green tick, admins will be aliasing media.domain.com and/or domain.com/media to some.thirdparty.com...

And how do you enforce this ?

Make it policy, and the first time someone does it in violation of policy you publicly discipline them with a demotion and pay/bonus cut. Second time, you fire the guilty person on the spot. If you're hacked because of it, you give their name to the ICO. People need to learn that this is serious, and if that means learning the hard way that's their problem, not yours.

suprise suprise

I always thought it odd that sites included code from other sites/servers. It was obvious that this was an easy way to target thousands of sites by hacking or a simple bribe. Not a good day when my concerns have come to fruition.

"a quick search showed at least a few hundred using this particular feedback library."

Following the link embedded in that sentence in the article leads to a page demanding enabling of Javascript without which it will show nothing at all. Will they never learn?

"A customer engagement tool."

In other words, something that marketing would have been pushing for. Marketing: the biggest in-house threat to a business.

The Moral of the Story

appears to be: "don't do any online ordering or other web interaction with any business or organisation that uses JavaScript on it's web servers, otherwise your data is at serious risk of being pwn'ed."

While this fiasco is unlikely to change all these websites from using 3rd party code on their website, i guess a lot of them will be removing the Feedify hosted code from them. Seems as Feedify really have an underlying issue with security of their servers, that they are unable or unwilling to fix which is allowing hackers to keep altering their code. And unfortunately for them a Google search for Feedify, the second article that shows up is about how their servers were hacked, so the future doesn't look rosy for them.

Ive been looking at this javascript thing, not just this secutiry snafu, the whole lot.

Its a total shitstorm isnt it?

Most people seem to be missing the point of these recent hacks. It is not important that the tool was Magecart, the language was JavaScript and the infected code was imported from a third party.

The server was compromised. The bad guys either exploited some as yet undisclosed weakness elsewhere on the server or did an inside job.

This is how its going to be unfortunately

Because of people in charge that keep spouting such phrases as "Infrastructure Free" are then in charge of all things digital. Agile gets thrown around a lot so little testing is done and when questions of security are mentioned you get branded "Difficult" and "You're being a blocker".

Oh well. When the world and its dog insist on everything being in "the cloud" and wanting to do everything on the cheap by lifting others code officially or unofficially. And then using said code from someone else's server that you have no control over, then this is bound to happen.

Yes, I'm not so stuck in the past that I can't see the benefits of the cloud, but I also don't want ALL our data there where I then lose control over it. I don't want my SQL databases given to a 3rd party company to manage who then refuse to allow me direct access to the said SQL database. Forcing me to use the cloud based app we've purchased from a totally different company just to be able to access fields and tables in said database.

What am I trying to say? That digital everything isn't great but unfortunately certain directors get away with spouting bullshit to others that don't understand so believe in said bullshit. Who then pay said director thousands to make their bullshit happen. When said director knows it can never happen because "I just made it up. I never thought they'd believe me". So now has to get "something" live before legging it and doing the same at another company.

I've lost my point again. Which is simply, management wanting everything done on the cheap and paying their staff as little as they can until they can outsource them. Then wondering why shit like this happens and just spouting "Lessons have been learned" when they haven't and it just happens over and over again.

A more simple lesson that can be drawn

Is that the cost of potentially having to reimburse potentially hundreds of thousands of customers whose card details may have been compromised, needs to be weighed against the utterly trivial cost of implementing a simple customer feedback form on your website yourself.

I know that Not Invented Here syndrome is a widely understood and frowned upon phenomenon, but this case certainly illustrates where the limits of reuse need to be debated. Code hosted on third party servers looks like a very fine place to start drawing that line for commerce websites. For payment services, the liabilities are well defined, but that really should be the only third party service you allow when you're taking payments.

but... but.. but... our website has a green padlock icon!

so what's the alternative, i review all my code and do a security analysis on every bit of code i get off the internet?

f*ck that, i aint got time for that shit. i've got beard relaxant to apply and another employer to moonlight for.

Some call it lazy

I call it muppetry

“After several hours, Joe finally gave up on logic and reason, and simply told the cabinet that he could talk to plants and that they wanted water.”