Technology, Top News

Ticketmaster breach was caused by bespoke JavaScript on payments page

THE TICKETMASTER DATA BREACH was caused by bespoke JavaScript running on its payments page, according to Inbenta – the company originally blamed for the incident.

Ticketmaster, when announcing the breach that saw an unknown third-party access payment details of up to 40,000 customers, blamed the attack on “malicious software on a customer support product hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster.”

However, Jordi Torras, CEO of Inbenta, has blamed Ticketmaster for the breach by adopting an insecure practice of running bespoke JavaScript coded by Inbenta on its payments page. 

Torras rejected the implication that Inbenta had been compromised in any way and told the INQUIRER that the JavaScript hadn’t been intended to run on something as sensitive as a payments page.

“We can confirm with 100 per cent certainty that no data was taken from our servers and no other customers other than Ticketmaster were affected,” he said. “The JavaScript we created specifically for Ticketmaster was used on a payments page, which is not what we built it for.

“Had we known that JavaScript would have been used in that way, we would have advised against it, as it poses a security threat. We are deeply sorry for anyone affected by the breach, and we are absolutely certain that no other customers of Inbenta have been hacked,” said Torras.

In a statement on the company’s website, Torras added that his company received notification of the breach from Ticketmaster on Saturday evening.

“Upon further investigation by both parties, it has been confirmed that the source of the data breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster’s particular requirements. This code is not part of any of Inbenta’s products or present in any of our other implementations.

“Ticketmaster directly applied the script to its payments page, without notifying our team.

“Had we known that the customised script was being used this way, we would have advised against it, as it incurs greater risk… The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018.”

After being notified, Inbenta conducted its own code audit of both general and customised scripts and concluded that only Ticketmaster was compromised – directly as a result of Ticketmaster’s own actions.

“We can fully assure our customers and end-users that no other implementation of Inbenta across any of our products or customer deployments has been affected,” the company asserted. 

The source of the compromise was the alteration of three files affecting three specific websites run by Ticketmaster. The JavaScript is hosted by Inbenta and embedded on customers’ websites, enabling it to add new capabilities quickly and flexibly.

However, Inbenta cannot monitor the particular pages on which customers embed its technology.

In an FAQ, the company indicated that it will modify this strategy so that in future “all the customised snippets and JavaScript files are solely hosted by our customers, so Inbenta’s technology will be solely accessed by our secured, standard RESTful API”.

Seperately, on Thursday, digital banking service Monzo said it alerted Ticketmaster to the data breach in April, despite the company’s claims that it hadn’t learnt of the breach until June.

Given these claims that Ticketmaster was sitting on the breach for two months, the firm could potentially face a hefty fine under the EU’s new GDPR laws, that require firms to report data breaches without “undue delay, and where feasible, not later than 72 hours after having become aware of it.”

The Information Commissioner’s Office said it was investigating the breach. µ

Further reading

Source : Inquirer

Previous ArticleNext Article
Founder and Editor-in-Chief of 'Professional Hackers India'. Technology Evangelist, Security Analyst, Cyber Security Expert, PHP Developer and Part time hacker.

Send this to a friend