One Misplaced Line of JavaScript Caused the Ticketmaster Breach

An anonymous reader quotes ITWire: Well-known British security researcher Kevin Beaumont says the breach of the British operations of American multinational ticket sales and distribution company Ticketmaster, that has led to the possible leak of tens of thousands of credit card details, was caused by the incorrect placement of a single line of code... Beaumont said Inbenta was providing a chat bot for website developers "by providing a single line of HTML which calls a JavaScript from Inbenta's Web server...."

He pointed out that while Inbenta had provided Ticketmaster a customised JavaScript one-liner, the ticketing company had placed this chatbot code on its payment processing website without informing Inbenta it had done so. "This means that Inbenta's webserver was placed in the middle of all Ticketmaster credit card transactions, with the ability to execute JavaScript code in customer browsers," Beaumont said. This code had been altered by some malicious person back in February and the problems began at that point, he said.
Beaumont warns businesses to be cautious with third-party JavaScript code in sensitive processes. "Check your supply chain. Because attackers are."

And he also highlights how anti-virus tools started flagging the the script months before Ticketmaster announced the breach. "I can see the Javascript file being uploaded to a variety of threat intelligence tools from April through just before the breach announcement, so clearly somebody was looking into it."

Rules of computer safety

If a bad actor can get you to run their code on your computer, it's not your computer any more.

Re: Rules of computer safety

[Z00L00K]

And the dangers of third party content on web pages. It's very hard to be sure that things play together when more than one content provider is involved.

Re: Rules of computer safety

[grep+-v+'.*'+*]

It's very hard to be sure that things play together when more than one content provider is involved

But it works fine, see? Besides it's not MY code that broke things. And I'll be gone long before *I* have to support it, so no harm, no foul, no problem.

I'd write some documentation, but I won't and you won't understand it anyway and will just rewrite the entire things from scratch so I won't.

This Problem is Much Bigger Than Most People Know

In recent years it has become common practice to use GitHub or other code sharing sites to pull in reams of third party dependencies for whatever flavor-of-the-month JavaScript framework that young coders want to use because it's trendy or because they saw an awesome demo at a conference somewhere. I guarantee that not one in one hundred of these kids has any clue what sort of dependencies of dependencies are being automatically pulled from the public repositories and being injected auto magically into their code running on top of one of these JavaScript frameworks and frankly many of them wouldn't care even if they did. They plan to be gone in 3 years or less and on to their next gig and whatever framework has come along since then to be the newest craze. Meanwhile the security oversights remain for years or maybe decades after they're gone, silently waiting for the exploit that must surely come. It would not surprise me at all to learn that nation state backed hacking groups are embedding advanced persistent threats into these public JavaScript frameworks or any of their thousands of dependencies. I predict that we haven't heard the last of these kinds of breaches because the JavaScript code slingers out there, who might have learned to code in a boot camp, haven't yet been taught a harsh lesson in security that they will remember in their bones. Some of them even show outright contempt for security or those who suggest it, although most of them are simply indifferent. They grew up with Facebook after all and their attitude tends towards, "Meh, privacy is dead, who cares"?.

Security

WTF is security, how to ignore it and deliver your project https://www.facebook.com/nixcr...

Just one line of code

Someone should charge them a convienence fee.

Re:Just one line of code

[Excelcia]

Thing is, it's always just one line of code. Very rarely is a security bug something big and prevalent throughout the code. It's a forgotten bounds check, or a miss-sized integer. You can say "just one line of code allowed _______" for almost the entire set of security bugs that have occurred for the last decade.

That's nothing...

It once took me two weeks, to find a single comma missing. Thanks IE6!

Even worse, but solved more quickly: I accidentially typed a ` right before an i, resulting in a i with a dot that had one single more pixel. Even less, given the right font size. It was impossible to see. I had to do a unicode search by copying and pasting the character, to find what was weird about it.

Still not as insane as PHP though. I found, that if you make a few empty lines in the middle of some function code, and just wrote a random totally invalid word there, that the interpreter would still happily execute the function as if the word was not there.
Turns out PHP interprets everything it does not know as a string, which is equivalent to a function returning that string... And PHP also just ignores any functions' return value if it isn't assigned to anything. Making the string a valid statement equivalent to NOP. *facepalm*

Re: That's nothing...

PHP is not a programmibg language. Says PHP's original author. I'm not touching this sh* and no professional developer should. In fact PHP should be forbidden to use and treated as a punishable offense for lack of engineering sincerity. Just kidding. Not!

Re:

You get what you pay for. Business people see no difference in software quality, they only judge user-interface decisions and responsiveness. With no regulation, no one will care about reliability or source code quality, and development will continue its decline from earlier days that considered using formal verification and cared about fault-tolerance.

more than one line

[Gravis+Zero]

Don't give me the "it's only one line" bullshit because sites use condensed javascript files that only have one line! It's like saying someone was killed by an speeding piece of steel after being hit by a bus. Sure, it's technically correct and completely misleading.

Re:more than one line

He's only a Cap'n

Re:more than one line

[Actually,+I+do+RTFA]

It's like saying "a 30 mph piece of steel" It's focusing on one metric (speed/LOC) that while it feeds into the important result (momentum/?) while ignoring the multiplier (mass/includes).

Re:more than one line

[93+Escort+Wagon]

The description makes it sound like this was just a one-line “src” link to a script on Inbenta’s server.

But then, I’d argue that pulling web content from third-party sites is problematic in its own right - even though it’s an almost ubiquitous practice nowadays. Your web site is basically serving out content and instructions, which you have absolutely no control over or visibility into, to your site visitors. It’s bad enough when it’s ad network stuff... but this was apparently a “need help?” tool.

Re:more than one line

If its true what Crawford said about shared namespace in the page/DOM is still true today (not XSS isolation even). Then internet is total disaster. How could any modern language not isolate individual scripts in their own namespace/routines.. What a nightmare.

Re: more than one line

The killer feature of web apps, that they can be updated remotely with no intervention from the recipient, has always seemed like a terrible idea to me.

Re:more than one line

You must be a blast at parties, Admiral Aspergers.

Don't say shit about apsies. They are great at quality control.
For every fast and sloppy cowboy-coder you need a manager with autism to make sure they don't push out broken shit than leads to more headaches and exploits.

Re:more than one line

Most bugs are just one line anyway, especially buffer overflows. In fact, they usually work out to be just a few bytes. Why does the size of code matter?

Re: more than one line

It has little to do with that. It's mostly for performance.

When your browser goes to site A and sees a src link for somesite.com/files/thing.js, it caches the content it pulled for the url. When your browser goes to site B and sees a src link for the same url, it has the content cached already. Speed.

The rise of the CDN. It doesn't matter if the script is being hosted by Akamai or SomeRandomCompany, when your browser uses several sites which include that script it only has to wait for it to download once. Apply that to all the scripts across a bunch of sites and you get better performance. Plus, a few years ago browsers would generaly only allow up to two connections per site to download things so when things are spread out across a bunch of CDN servers the downloads can almost all run in parallel.

But, it's 2018, and the proper way to do things today is to aggregate all of the scripts your site uses into one or few files and compress them, and at least then if $badguy changes the code they had to do so on your servers, or somewhere directly affecting your process chain (someone above mentions changing code in github repos). But man, using npm these days, it's like jumping out of a plane with a parachute you know was made by the cheapest bidder on the other side of the planet.

Re: more than one line

Aspie piece of shit.

Yeah...

That's generally how bugs work

Re:

You get what you pay for.

That's true for developers, too. Companies only want young developers because they're cheaper and eager to be overworked. With that comes lack of experience and a tendency to jump on hip, flavor of the month frameworks because the tried and true stuff is so boring and old-fashioned.

Re:

What do you expect? We allow corporations to disclaim all responsibility for breaches and the price they pay if there is a breach is usually insignificant compared with the actual damage that's been done.

The end result is that there's no particular reason why they would care as it's not something that affects their paycheck. If something does go wrong, the managers get golden parachutes and the underlings get pink slips.

Summary

[whoever57]

As far as I can tell:
inBenta was hacked, and the problem was worse than it should have been because the Ticketmaster website pulled javascript from inBenta on their payment processing site.

Re: Summary

This^

It wasn't so much that Ticketmaster misplaced the code, it was that they included code from an insecure 3rd party. They did have used a local copy.

code review

I reviewed the code, and I think I found the problem on line 1742:

1742: eval(underhanded_javascript_contest_winner());

Huh?

It's always one line of code, or two, or one number, or two, etc.

Re:

Fucking shit. You want quality - stop infestation of IT by shitty smelly parasites hindu-chimps.

Third-party, included content on the web

[peppepz]

WebAssembly will make this kind of problems even worse, because the included third-party binary blobs will be even harder to audit, easier to exploit and more difficult to flag.

Re:Third-party, included content on the web

Don't use 3rd part binary blobs you don't have the source for?

Re:Third-party, included content on the web

WebAssembly will make this kind of problems even worse, because the included third-party binary blobs will be even harder to audit, easier to exploit and more difficult to flag.

Depends on the building process.
If the compiler pulls in the third party scripts and compiles them into the binary instead of linking to them then you will get stable* binaries instead.
Presumably the browsers would like to check for commonly used functions and run a version that has been compiled for the native target instead.
I don't have any illusions that it will happen, the world have a tendency to invent a solution that is even worse that what one feared, but at least there is a theoretical possibility to not make things worse.

* Stable as in not changing function after compilation due to third party library changes, not in the traditional sense of stable code.

Re:Third-party, included content on the web

[peppepz]

It won't happen. Look at how the web works today, and try to foresee how it will work in the near future when all its constituent parts (from HTTP to HTML) go binary.

Re:This Problem is Much Bigger Than Most People Kn

Everyone likes to shit over JavaScript and its developers but frankly its blindsided elitism. The problem is endemic to package management and computing in general. As if anyone has line-by-line verified anything they've pulled in via nuget, apt-get or whatever package manager you'd care to mention. And even if you were to try, would you actually catch something really underhanded?

All we have for any of this at the end of the day is blind trust. I think all of computing to some extent is faith-based that the next link in the chain was built competently and without malicious intent.

There's no easy solution to this and there never will be. The open source community seems content to place their faith in a panopticon of other eyes (and always other eyes, I've seemed to notice) finding these flaws. Mostly it works, other than the odd catastrophic failure when it doesn't. The only other choice appears an authority that can vet packages and give a stamp of approval, though getting financial support for it would likely be impossible.

Web Dev Hipster here: Amen brother!

[Qbertino]

While I plead guilty of being a mix of old school geek and ISO Certified JS Toolkit hipster, I second the notion of security being handled way to lax in the web agency camp.

However this is more often a problem of skill and awareness and not so much the toolkit. Security is always a tradeoff between usability and it has to be considered day in and day out. Most people don't have an opinion of this because they are rarely forced to take responsibility for mission critical code. Security and due diligence like test first and CI are difficult and boring and you have to learn it and make a habit just like versioning.

This is where the professionals come in. I personally have decided to stay in the web camp but move up the ladder in terms of responsibility and start exercising in the security and mission critical areas (ERP, Data Protection, etc.)

Misplaced line of JavaScript

[Hognoxious]

A misplaced line of JavaScript, eh?

Is there any other kind?

I agree. But when your boss tells you ...

... that's what you must use, and you do not havr the freedom to quit, that's what you use.

Frankly, what we used before ... an internally developed language that looked like HTML tags, and was so cumbersome that even making functions was a hassle ... made PHP look like a godsend.
Also, my "team" was so incompetent, that when I suggested we should use functions to have a template library, instead of manually replacing snippets on ALL the web pages, the answer I got was "too complicated"!!

So ... yeah ... I ate that PHP and liked it too. :/

Re: This Problem is Much Bigger Than Most People K

Ubuntu and Debian use signed packages, and they are curated much like the Apple store. Node doesn't use signed packages, but it doesn't matter anyway because anyone can upload anything. It's actually a really nice system in terms of ease of use, but there is malware all over up there.

Re:This Problem is Much Bigger Than Most People Kn

[jon3k]

In recent years it has become common practice to use GitHub or other code sharing sites to pull in reams of third party dependencies for whatever flavor-of-the-month JavaScript framework that young coders want to use because it's trendy or because they saw an awesome demo at a conference somewhere.

I think it's more pragmatic than that. No one wants to reinvent the wheel, presumably when someone else has done it better. I think that's almost always a good thing, because the standard third party packages for performing most of these things is far safer than what the average developer would write. I think if someone's boss saw them rewriting something that was available as a standard, widely used NPM package they'd get an earful for wasting time.

I'm working on a small flask application right now, and I don't think anyone would argue that it would be smarter for me to write this all from scratch.

Inbenta? WTF

[Hognoxious]

Did they run any kind of sanity check on the name? Like going into a pub and asking a few of the people there what they thought?

Among the myriad meanings of bent are:
* homosexual e.g. "He's bent, he's bent, his arse is up for rent _insert_name_of_opposing_player_here ".
* corrupt e.g. "There ain't nuffink lower than a bent copper and no mistake, lummee if it ain't so and strike a light, me old china".

They are completely hopeless

So :

1. they outsourced part of their website
2. they never ever performed due diligence on the outsourced bits to check they are safe (because otherwise they would have insisted taking delivery of the files, and hosted them themselves, to avoid undeclared changes compromising the result of the audit). How hard it is to host a few js files?
3. they didn't even take delivery of the top-level js file to check it is safe, all they got delivered is an url to blindly call third party code they never checked and can be changed or compromised without notice
4. their own technical team probably washed their hands of the whole thing (not my code, not hosted on my servers)
5. the third party probably washed their hand on security (not supposed to be handling security-sensitive stuff even if the code runs in the same context in the browser)
6. the thing could leak like a sieve, all they worry about in $$$ because that's easy to trace to them
7. they feel the problem is they made the js call on the wrong page of their website (because once you own part of the website thanks to compromised js, you can't rewrite the payment links to an owned page?)

What an bunch of clueless guys. They are ripe to be compromised again with maybe a little more effort by baddies.

Re:

Yes and no. I've found out recently that a lot of startup companies will initially hire contract or young people to do the work as you say. This is to get a MVP out ASAP. After 2-3 years though, they end up having to hiring experienced professionals, or the company ends up dying out. This is due to the fact that young people, although they can code, most of them end up writing bad code.

Young coders tend to add code as they are told, to perform exactly what is asked of them. While this seems like a good thing for the company, its really a bad idea. Older coders will question the reason that the code is being added. Understanding the resulting goal is important to provide a better way to implement the solution that will help, not hinder, future development. I can't tell you the number of times that I received a user feature request, that was changed because we found a different solution that worked out better for system, and the workflow of the user.

Young coders tend to add features on top of other features. Doing this can be really bad. Continuing to add features will almost always cause code to be slower, because no one wants to understand the code they are not touching. I was once brought in to fix an API built in PHP, Rest API queries were taking anywhere between 40ms to 32s. i.e. A list of 10 items took over 10s to export in PHP.

Young coders tend to use massive frameworks (had a javascript app use over 13000+ npm modules). I have a love/hate relationship with frameworks. Its good in that it allows you to rapidly develop. Its bad in that its a lot easier to write poor performing code in it, where its harder to debug or profile, and if you have to do anything that is outside of the framework, good luck. I've found that most languages (that are mature) tend to not need frameworks or if they do, tend to be very lightweight.