Reply to post: Re: Client side anti-fraud measures?

Stripe is absolutely logging your mouse movements on websites' payment pages – for your own good, says CEO

andy 103
Boffin

Re: Client side anti-fraud measures?

If you want evidence, take a look at the BA breach.

With all due respect this shows a lack of understanding of how that attack worked. The Reg even posted a screenshot of the malicious script:

https://regmedia.co.uk/2018/09/11/ba_suspicious_script.jpg

As much as this is a .js (client-side JavaScript) file, modifying it required access to BA's web server which is proven by the fact it's hosted on britishairways.com which is clear on the screenshot. If someone has access to modify files on your web server then even server-side validation code could be modified.

It's true that the attacker in that case set up a fake domain (baways.com, also shown on the screenshot) to post form data to. But the actual script where that was occurring (modernizr-2.6.2.min.js) was hosted within BA's own legitimate webspace. So someone had access to be able to modify that, which at that point is a server-side breach.

The issue you're describing is when people serve JS from untrusted third party domains. But that isn't what happened in the case of BA.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022