Major sites running unauthenticated JavaScript on their payment pages
hack javascript NaBloPoMo Responsible Disclosure security sri · 12 comments · 700 words · read ~33,646 times.
A few months ago, British Airways' customers had their credit card details stolen. How was this possible? The best guess goes something like this: BA had 3rd party JS on its payment page <script src="https://example.com/whatever.js"></script> The 3rd party's site was hacked, and the JS was changed. BA's customers ran the script, which then harvested their credit card details as they were typed in. This should have been a wake-up call to the industry. Don't load unauthenticated code on…
Continue reading →