Only a few weeks ago, I wrote about a new GDPR course with John Elliott. We've been getting fantastic feedback on that course and I love the way John has been able to explain GDPR in a way that's actually practical and makes sense! In my experience, that's a bit of a rare talent in GDPR land...
As luck would have it (or "bad luck", depending on your perspective), after recording that course but before posting this piece we saw a perfect industry example of the problem. Actually, it dates back to before the June record date to this tweet the month before:
@Ticketmaster_NZ pic.twitter.com/MYFZy88SUc— Shane Langley (@AskewDread) May 7, 2018
It later eventuated that the compromise was due to a single line of code or more specifically, a script tag on Ticketek's website that embedded a chatbot from a company called Inbenta. Inbenta than had their script compromised and because it was embedded on the Ticketmaster payment page, that's it, game over, the contents of the DOM and any input fields are now accessible via a malicious party. This is eerily similar to the Browsealound incident only a few months earlier although rather than a bit of (mostly) harmless crypto coin mining, it led to full on card theft.
This sort of thing is alarming common and you really want to think about whose script you embed on your site:
But we also have good defences against these things going wrong. For example, John and I talk about content security policies and subresource integrity, both free and easily accessible browser constructs that stop attacks like this dead. CSP in particular could have not only stopped that attack, but actually alerted Ticketek to it as soon as it began. There's a whole heap more beyond that, of course, and it's all baked into one of those very conversational "play by plays" so it's easy watching and only just over an hour long.