back to article Emma Sleep Company admits checkout cyber attack

Emma Sleep Company has confirmed to The Reg that it suffered a Magecart attack which enabled ne'er-do-wells to skim customers' credit or debit card data from its website. Customers were informed of the breach by the mattress maker via email in the past week, with the business saying it was "subject to a cyber attack leading to …

  1. wolfetone Silver badge

    "sophisticated"

    Well I feel sorry for them if it was a sophisticated attack. There's nothing they could've done to...

    Oh, it was a Magecart attack you say? On Magento you say? The same sort of attack we've known about for years and that there are patches and various protections available to prevent such a sophisticated occurring in the first place?

    Colour me cynical, but there is nothing sophisticated about someone exploiting a known bug that you couldn't be bothered to fix in production. That's not a sophisticated attack, that's a bread and butter robbery which was enabled by your own inability to do your f**king job.

    1. SW10
      Coat

      Re: "sophisticated"

      Easy for you to suggest they were asleep on the job, but these fixes take time to bed in

      1. Ken Moorhouse Silver badge

        Re: Easy for you to suggest they were asleep on the job, but these fixes take time to bed in

        Duvet really care?

    2. tip pc Silver badge
      Facepalm

      Re: "sophisticated"

      from the article

      The spokesperson said they could confirm that the "platform was kept up to date with all relevant security fixes."

      from wolfetone

      Oh, it was a Magecart attack you say? On Magento you say? The same sort of attack we've known about for years and that there are patches and various protections available to prevent such a sophisticated occurring in the first place?

      do you have proof their system was not fully patched?

      1. wolfetone Silver badge

        Re: "sophisticated"

        I've about as much proof about what I said as they're willing to give to back up their own claim.

        Security is more than just a bug fix here and there. It's the implementation, the structure, and the continual vetting of all of the relevant packages they add to their site. Like another commentator has pointed out, issues that allow this attack don't exist in a silo with Magento. It can be attacked in various ways.

        They can have all the fixes they want, but if it's not implemented right, then it might as well not be patched.

        1. Auntie Dix

          Re: "sophisticated"

          > It's the implementation, the structure, and the continual vetting of all of the relevant packages they add to their site

          Hah! Great joke! They're using Magento. You know, that platform which requires over 200 separate JavaScript files just to load the home page. Seriously.

      2. Ian Johnston Silver badge

        Re: "sophisticated"

        do you have proof their system was not fully patched?

        The entire basis of the article?

        1. tip pc Silver badge

          Re: "sophisticated"

          @ian Johnston

          The entire basis of the article?

          Wolf tone claimed patches had been available to mitigate the attacks, Emma claimed their systems had the latest security patches installed.

          Either Emma lied or Wolfetone is making false accusations, hence my asking if wolfetone had proof Emma’s systems where not fully patched as they claimed.

          I take wolfetones further point that better config could have mitigated the attacks but that’s not what he initially claimed.

      3. mikepren

        Re: "sophisticated"

        Now adding CORS and CSP headers. Good thing they've only just been invented, and not been around for a decade.

      4. mikepren

        Re: "sophisticated"

        Well they're deploying CORs and CSP headers, now. Good thing they've only just been invented, and not been around for a decade. If you run a payment site without those, then you're not serious about security. Especially on Magneto.

      5. Anonymous Coward
        Anonymous Coward

        Re: "sophisticated"

        They could start by... Let me think about it for a second... NOT LOADING FUCKING JAVASCRIPT CODE FROM A THIRD PARTY AT LEAST DURING THE CHECKOUT PROCESS???

  2. Cynical Pie

    and... 3... 2...1...

    'We at Emma take our data protections responsibilities very seriously....'

  3. cyberdemon Silver badge
    Trollface

    Sounds like some people will be losing sleep over this..

    And I doubt an expensive mattress is going to help

  4. johnfbw

    If anyone has used their website they wouldn't be surprised it looks like it was put together by the work experience boy.

  5. Winkypop Silver badge
    Devil

    As I lay me down to sleep

    I hope my data is mine to keep

    1. Neil Barnes Silver badge

      Re: As I lay me down to sleep

      Not if you're asleep on the job.

  6. andy 103
    Boffin

    Well, if you will include third party JS at random

    The article lacks the relevant details but from memory the way it worked in the case of British Airways (https://www.theregister.com/2018/09/06/british_airways_hacked/) is that they included a shitton of third party JavaScript - hosted outside of their domain. If you don't understand why this is a bad idea, please don't become a web developer.

    That JavaScript was modified so it requested other .js files (which the attackers had written themselves) from a domain which on the face of things looked legit to an average user, not that they'd see the requests their browser was making in the background anyway.

    The malicious script then targets form inputs (e.g. credit card name / number inputs) and makes an ajax POST request with the form data to a third party server for storage and thereafter "shenanigans".

    So, if I'm understanding correctly, years later nobody has learnt the extremely simple premise of not including random JS from third parties on your site. Yes I know there are some exceptions where you can't do this, but I'd be willing to bet it was Bob's Shitty Analytics dot BIZ or something where they wanted it for "marketing purposes".

    Some smart arse will say yes but what if they modify the JS on your site directly. If they can do that my dear then you have much bigger problems. Frankly though, including third party JS pretty much amounts to exactly this! You're giving somebody else control over what can be executed on your site.

    1. Mike 137 Silver badge

      Re: Well, if you will include third party JS at random

      "a malicious piece of code that was added to checkout pages which would skim card data from within a user's browser"

      There's a lot to be said for doing all sensitive processing server side - then you wouldn't need any client side scripts at all. Consequently, you could automate content scanning to dynamically detect the presence of any (inevitably malicious) scripts before the page were served.

      The apparently now standard approach of serving client side 'apps' rather than static content for everything is a certain recipe for data breaches, and is mostly entirely unnecessary.

      1. andy 103

        Re: Well, if you will include third party JS at random

        @Mike 137 The problem with server side processing is that it's not suitable for everything. Not all interaction with a webpage has a full request/response cycle (do something -> POST/GET Request -> page reload/redirect Response). This is where JS typically gets used in place.

        The real problem though is that people developing websites blindly inject (and therefore blindly trust) JS that's hosted on other domains. This is the source of these types of exploits. It relies on being able to execute code via your website through a third party, which as I alluded is pretty much as bad as somebody being able to access the server and modify the server side scripts as well.

        In 90% of cases where I've seen scripts being injected like this, it's usually marketing / sales teams who seem to have a demand to collect every single conceivable piece of data about user interaction. Even when they're told by developers who know better they just trust whatever third party platform is being used without a second thought. And so it continues...

  7. Peter Galbavy

    They are also very much into sharp practices themselves; A friend ordered one of thier products which was not delivered "next day" as promised, but weeks later. In the meantime the credit company they farm this stuff out to - if you choose that way to pay - refused to acknowledge the late delivery and the rejection of the goods and threatened (in very bad faith) a bad credit rating if she didn't pay the due installments. Since then the unopend product was eventually picked up but Emma washed their hands of the credit issues and now the whole thing is detined for the Ombudsman as Emma blames the credit company, credit company blames Emma and meanwhile my friend is both out of pocket and has "bad creditor" ticked for refusing to pay further installments for a product never accepted.

    Yes, GDPR and other legislation is *supposed* to help here, but it hasn't yet.

    Simple advice: avoid this lot like the plague that they are.

  8. spireite Silver badge
    Joke

    Well, someone somewhere with this data will be linen their pockets.

    Obviously, the police will be opening a pillowcase. Once they've solved it and arrested the suspects, I have no doubt they'll be saying to them on arrest "Bedspread em", and load them into Divan.

  9. Howard Sway Silver badge

    "no evidence" personal or payment data has been abused in the wild, the company said to customers

    Please can we stop accepting this sorry little pseudo-excuse after breaches. Of course you have "no evidence" because you don't have access to every credit card transaction on every card in the world so you wouldn't be able to know if had happened, even if you had somehow tried to find out. What do you think stolen card details are going to be used for?

    1. BleedinObvious

      Re: "no evidence" .. use in the wild

      Close family member contacted by Emma last week included in the leak, changed card forgot to cancel last one, then spotted £500+ of fraudulent Uber transactions made in a couple of days last week.

    2. yetanotheraoc Silver badge

      Re: "no evidence" personal or payment data has been abused in the wild, the company said to c...

      "What do you think stolen card details are going to be used for?"

      Even criminals need a good mattress....

    3. Higashi

      Re: "no evidence" personal or payment data has been abused in the wild

      Strange that they say that they "have no evidence", as I was in email communication with their Data Protection department on 30th March informing them of fraudulent activity on a credit card I used on their site.

      1. gstarling

        Re: "no evidence" personal or payment data has been abused in the wild

        I purchased a mattress on the 6th March. This Thursday (7 april) I had a call from my bank that they suspected fraudulent payments were being made for Dominos pizza several times.

        Given my Visa card had Only been used for the payment to Emma, I am pretty confident that was how my card details were stolen.

        I contacted their support team on Thursday via Chat and an email but they have not replied so far.

        I plan to follow up further if I have not heard in 7 days.

      2. gstarling

        Re: "no evidence" personal or payment data has been abused in the wild

        I wrote to their customer services team on 7th April and I have still not had an acknowledgement of my email.

        Given they receive top reviews for their product on Which, you would expect their customer service to be pro-active - they are not. Disappointed that they have not replied.

        I plan to follow this up until I receive a suitable explanation and apology.

  10. heyrick Silver badge
    Mushroom

    This was a sophisticated

    Any PR missive starting with those four words should be legally required to be translated to "we buggered up badly and now your info is in the hands of criminals and we barely give a toss so we'll placate you with empty baseless observations such as we've not seen credit card data being abused (which we can't possibly know, but don't think too hard about what we're saying)".

    Reason for saying that? Because to the sort of people that write such crap, a Tamagotchi is "sophisticated". To them, logging in using the default password is "sophisticated". It is language designed to appeal to your emotions in a "these guys were really good, we tried our best but they still beat us" sort of way. Which is, of course, complete bollocks. Because if it wasn't, they would say what happened rather than writing anything whatsoever that uses the word "sophisticated".

    1. yetanotheraoc Silver badge

      Re: This was a sophisticated

      Sophisticated means "someone tried to explain to me what happened, but I had to make them stop explaining before my brain exploded".

      TL;DR computers => sophisticated.

      Someone should publish a comic book explanation of the common exploits so the top decision makers can figure out what to do.

      1. TimMaher Silver badge
        Happy

        Re: comic book

        Make them study Dilbert?

  11. VoiceOfTruth

    I've mentioned this before...

    -> Operatives get access to a site, either directly or via third-party services, and inject malicious JavaScript which then nabs the information as it is input.

    Yes, all these third-party services which I do not want. If I use Little Snitch on a Mac, and set it to ask permission for every outbound connection, and browse to abc web site, I am constantly not surprised by how much crap is included on abc's web site. These included third-party services... some of them I have heard of, some of them I have not. But the point is I, me, have not browsed to these third-party sites. abc's web site has slurped them in. When we are told 'be careful where we browse to', that is a stupid homily because most of us have no idea where we are browsing to with all this included crap.

    -> which is why the technology we had in place to keep track of scripts added to the page did not detect it.

    I don't believe it is that hard. What Emma Sleep really means is 'we don't know how to run a secure web site'. Fine. I accept that. So get somebody who does.

  12. Ken Moorhouse Silver badge

    They applied the same principles to passwords as they did to memory foam.

    They should have used a mattress protector to guard against leaks.

  13. Auntie Dix

    This is standard Magento. Anyone using the platform is taking their lives in their hands.

    Trust me, as a Magento developer of 10 years... run away from it as fast as possible.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like