Major sites running unauthenticated JavaScript on their payment pages


HTML code from Spotify.

A few months ago, British Airways' customers had their credit card details stolen. How was this possible? The best guess goes something like this: BA had 3rd party JS on its payment page <script src="https://example.com/whatever.js"></script> The 3rd party's site was hacked, and the JS was changed. BA's customers ran the script, which then harvested their credit card details as they were typed in. This should have been a wake-up call to the industry. Don't load unauthenticated code on…

Continue reading →

Should you use SRI for self-hosted scripts?


HTML source of Sony's PlayStation website.

Here's a curiosity which I found while stumbling through the Sony PlayStation store. The website loads internally hosted scripts using SRI (SubResource Integrity). Why? Does your work require you to swipe an ID card to access the building? That seems pretty normal. Does your work also remind you to keep your badge visible, and to challenge people who aren't wearing theirs? That also seems pretty normal. Sometimes security is breached, so we have multiple layers to keep us safe. In…

Continue reading →

Dynamic JavaScript and SRI


HTML source of The Guardian website. Polyfill is being loaded from their own CDN.

Some external JavaScript libraries are dynamic. That's a problem for the SRI model of security. How can this be fixed? Definitions Suppose I want my website to have the latest version of the jQuery library. I might use a Content Delivery Network (CDN) to serve the code for me. <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script> If an attacker were to get access to that CDN, they could inject code into my site and compromise my users' privacy. This…

Continue reading →