Uncategorized

Ticketmaster and the tale of the malicious Javascript (Magecart)

Introduction

There are more and more hacks related to third party Javascript hacks. Nowadays, many SaaS companies offer services to extend their client’s websites.

It can be a widget to send feedback (Hotjar), an SDK to accept payments (Stripe, Recurly…), or website analytics (Google Analytics, Statcounter…).

All these companies have in common that they require to insert third party javascript files in their client’s websites. These files are loaded remotely from their server.  

The Hotjar Example

Example for Hotjar (a website analytics/feedback company): 

<script>	

(function(h,o,t,j,a,r){
	h.hj=h.hj||function(){(h.hj.q=h.hj.q||[]).push(arguments)};
	h._hjSettings={hjid:xxxxxxxx,hjsv:6};
	a=o.getElementsByTagName('head')[0];
	r=o.createElement('script');r.async=1;
	r.src=t+h._hjSettings.hjid+j+h._hjSettings.hjsv;
	a.appendChild(r);
	})(window,document,'https://static.hotjar.com/c/hotjar-','.js?sv=');
	
	</script>

This script is inserted on a website. It calls a remote javascript that is hosted by Hotjar, and then executed on the visitor browser.

This kind of files can’t be hosted “on-premise”. Indeed, the the companies that offer them need to be able to update them frequently to add features or correct bugs without having to coordinate with their clients.

By doing this, the company that is hosting the javascript file can steal all the information entered by a visitor on their client website. For instance, it’s login, password, or even credit card numbers…

The ticket master hack

That is exactly what happened to Ticket master in  2018.  Ticketmaster included a third party javascript of a company named Inbeta specialized in Chatbot/virtual assistant. The hackers named “Magecart” hacked Inbenta, and modified the Javascript file used by Ticketmaster. They added a “skimmer” that steals all the payment information entered into forms of ticket masters website.

Approximately 40000 UK customers were affected by this hack according to the  BBC. Since this hack happened after May 2018, Ticketmaster is facing a  GDPR fine of up to $400 million. Indeed, this represents 4% of its parent company revenue, Livenation.

How to prevent this from happening?

One solution to prevent such disastrous consequences is to detect the modification of these Javascript files as soon as it happens, and to notify the team in charge of these files.

This can be done by creating a script that checks regularly the integrity of the Javascript file,  or by using a service like Guardscript that handles all this automatically: https://www.guardscript.com

Sammy Collins

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *