Major sites running unauthenticated JavaScript on their payment pages

by @edent | # # # # # # | 9 comments | Read ~23,350 times.
HTML code from Spotify.

A few months ago, British Airways' customers had their credit card details stolen. How was this possible? The best guess goes something like this: BA had 3rd party JS on its payment page <script src="https://example.com/whatever.js"></script> The 3rd party's site was hacked, and the JS was changed. BA's customers ran the script, which then harvested their […]

Continue reading