Ticketmaster's U.K. breach shows risks of third-party code on websites

Register now

Ticket sales company Ticketmaster has warned customers in the U.K. that malicious code running on its website could have led to personal data and payment details being stolen.

On a special website the company has set up to inform its customers, Ticketmaster explains that the breach happened at Inbenta, whose software it uses to handle customer support and whose code was thus embedded on Ticketmaster’s website. Upon discovering the breach, Ticketmaster disabled Inbenta’s software throughout the site.

The breach, which appears to have affected only users of the company’s U.K. service, was discovered on Saturday, but the phrasing on the website suggests the malicious code may have been running for months.

This kind of breach through third-party JavaScript code is quite common and may go undetected for months, according to Kevin Beaumont, a U.K.-based security researcher. Because such code could run on pages that handle payment information, the attackers may have gotten hold of CVV2 data, making this a rather valuable breach.

Running third-party JavaScript is common practice on websites that allows them to outsource various tasks, from handling support to providing accessibility. It would be unrealistic to expect sites to disable all third-party JavaScript code, even if that is the only thing that guarantees protection against these kind of attacks.

However, there are a number of things websites can do to mitigate the risk. The first is to actively monitor the scripts running on the site and the changes made to them; in particular, site owners should look at what other scripts are called by those third-party scripts.

A second option is to use features that restrict the scripts that can be run on a website, in particular techniques such as Content Security Policy (CSP) and Subresource Integrity (SRI). Following a website attack earlier this year, that also involved compromised third-party JavaScript code, Scott Helme, another U.K.-based security researcher, explained how these techniques could have prevented the attack.

Finally, a site owner may want to consider whether running third-party code is necessary on all parts of the website. In particular, those pages on which users enter personal data may be best excluded from running any third-party code.

For Ticketmaster this advice obviously comes too late. The company urges its customers to check account statements for evidence of fraud or identity theft, while it also offers 12 months of free identity monitoring for affected customers.

For reprint and licensing requests for this article, click here.
Cyber security Online payments U.K.