Ticket sales company Ticketmaster has warned customers in the U.K. that malicious code running on its website could have led to personal data and payment details being stolen.
On a special
The breach, which appears to have affected only users of the company’s U.K. service, was discovered on Saturday, but the phrasing on the website suggests the malicious code may have been running for months.
This kind of breach through third-party JavaScript code is quite common and may go undetected for months, according to
Running third-party JavaScript is common practice on websites that allows them to outsource various tasks, from handling support to providing accessibility. It would be unrealistic to expect sites to disable all third-party JavaScript code, even if that is the only thing that guarantees protection against these kind of attacks.
However, there are a number of things websites can do to mitigate the risk. The first is to actively monitor the scripts running on the site and the changes made to them; in particular, site owners should look at what other scripts are called by those third-party scripts.
A second option is to use features that restrict the scripts that can be run on a website, in particular techniques such as Content Security Policy (CSP) and Subresource Integrity (SRI). Following a website attack earlier this year, that also involved compromised third-party JavaScript code, Scott Helme, another U.K.-based security researcher,
Finally, a site owner may want to consider whether running third-party code is necessary on all parts of the website. In particular, those pages on which users enter personal data may be best excluded from running any third-party code.
For Ticketmaster this advice obviously comes too late. The company urges its customers to check account statements for evidence of fraud or identity theft, while it also offers 12 months of free identity monitoring for affected customers.
