Bookmark: "I’m harvesting credit card numbers and passwords from your site. Here’s how."

2018-01-07

Bookmarked:

I’m harvesting credit card numbers and passwords from your site. Here’s how. hackernoon.com (via archive.org)

A fictional story showcasing a smart (social engineering) exploit to use npm packages as a backdoor vector for malicious code.

On any page that collects any data that you don’t want me (or my fellow attackers) to have, don’t use npm modules. Or Google Tag Manager, or ad networks, or analytics, or any code that isn’t yours.

The author even illustrates how a CSP header will not fully prevent this kind of attack. In the end, it boils down to the summary of the article:

My goal (as it turns out) is simply to point out that any site that includes third party code is alarmingly vulnerable, in a completely undetectable way.

The recommendation would be to use sandboxed iframes with hand-crafted JS for any sensitive input pages.

I'm Sebastian, Sociologist and Interaction Designer. This journal is mostly about bringing together social science and design for inclusive, privacy-focused, and sustainable "human-first" digital strategies. I also tend to a "digital garden" with carefully curated resources.

My occasionally sent email newsletter has all of the above, and there is of course also an RSS feed or my Mastodon/Fediverse profile.

Discussion:

Name

Comment *

Available formatting commands

Use Markdown commands or their HTML equivalents to add simple formatting to your comment:

Text markup

*italic*, **bold**, ~~strikethrough~~, `code` and <mark>marked text</mark>.

Lists

- Unordered item 1
- Unordered list item 2

1. Ordered list item 1
2. Ordered list item 2

Quotations

> Quoted text

Code blocks

```
// A simple code block
```

```php
// Some PHP code
phpinfo();
```

Links

[Link text](https://example.com)

Full URLs are automatically converted into links.