back to article Ticketmaster tells customer it's not at fault for site's Magecart malware pwnage

Ticketmaster is telling its customers that it wasn't to blame for the infection of its site by a strain of the Magecart cred-stealing malware – despite embedding third-party Javascript into its payments page. In a letter to Reg reader Mark, lawyers for the controversy-struck event ticket sales website said that Ticketmaster " …

Page:

  1. }{amis}{ Silver badge
    Flame

    Offsite scripts GAH!

    I've lost track of the number of times I've had to bash heads together over this kind of thing.

    Its usually some sales or marketing drone think that adding a <Insert retarded social network here> link to the website will magically add a tone of traffic.

    This tends to result in emails like this :

    F.F.S. people if its an even vaguely secure area no script that you have not copied locally and validated does what you think it does goes in, is this so hard to understand.

    1. EnviableOne Bronze badge

      Re: Offsite scripts GAH!

      didnt help BA, their internal hosting got compromised, and the script was served from their servers.

    2. Captain Badmouth
      Headmaster

      Re: Offsite scripts GAH!

      "F.F.S. people if its an even vaguely secure area no script that you have not copied locally and validated does what you think it does goes in, is this so hard to understand."

      Without proper punctuation, yes.

      1. }{amis}{ Silver badge
        Unhappy

        Re: Offsite scripts GAH!

        I don't like making excuses for myself but dyslexia sucks and tools like Grammarly can only do so much!

        It's really depressing when you get spelling and grammar corrections from a coworker to whom English is his 3rd language!

        1. Captain Badmouth
          Thumb Up

          Re: Offsite scripts GAH!

          Sorry for that, we'll understand in future.

          1. }{amis}{ Silver badge
            Happy

            Re: Offsite scripts GAH!

            Thank you

        2. Anonymous Coward
          Anonymous Coward

          Re: Offsite scripts GAH!

          I don't like making excuses for myself but dyslexia sucks and tools like Grammarly can only do so much!

          Hamish, relax. I would like to offer you this video as a comment. It explains my views in a far nicer way (with a nice surprise at the end) than I would be able to express them myself.

          Cheers.

          1. }{amis}{ Silver badge
            Happy

            Re: Offsite scripts GAH!

            I would like to offer you this video as a comment.

            Thank you very much for that I haven't seen that one before and it made me smile.

          2. Walter Bishop Silver badge
            Facepalm

            Re: Offsite scripts GAH!

            NoScript detected a potential Cross-Site Scripting attack

            from https://sync.rtk.io to https://ads.avocet.io.

            Suspicious data:

            (URL) https://ads.avocet.io/getuid?url=//x.bidswitch.net/sync?dsp_id=59&user_id={{UUID}}&ssp=rtkio&bsw_param=9edf2f91-6c5c-4248-b768-ca7d39a0076e

      2. TomG

        Re: Offsite scripts GAH!

        Had to read it three times, adding punctuation, before it made sense. Punctuation has a purpose, use it.

        1. Alan Brown Silver badge

          Re: Offsite scripts GAH!

          "Punctuation has a purpose, use it."

          Up to a point...

          Punctuation (or lack of) has been what several legal cases have hinged upon - especially commas.

          It isn't helped by the issue that fullstops or commas can be smudged in reproduction (faxing) or disappear entirely.

          That's why lawyers don't use it and why their sentences may seem overly wordy when a bit of punctuation might make them shorter. It's all about avoiding (or causing) ambiguity.

          Simpler version: If interpretation of a sentence changes depending on punctuation, then the sentence needs revision. (Let's eat, Grandma/Let's eat Grandma)

          FWIW this is one of the reasons why English is regarded as such a difficult language and why engineering cockups happen so regularly compared to engineering in other languages.

    3. Amos1

      Re: Offsite scripts GAH!

      "...if its an even vaguely secure area no script that you have not copied locally and validated does what you think it does goes in, is this so hard to understand."

      I'm not understanding how that matters. If the script links in external references the script can be benign when tested but not necessarily in the future.

      Still relevant after all these years: Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.

      I'm waiting for the Google Analytics site to get whacked, if just by a resource-consuming coding error.

      1. }{amis}{ Silver badge
        Meh

        Re: Offsite scripts GAH!

        I'm not understanding how that matters. If the script links in external references the script can be benign when tested but not necessarily in the future.

        If the script has any ability to load remote code in after deployment it fails the can I put this in a secure area test.

        If you want analytics of your payment tunnel, use an after the event log analysis tool.

        There are plenty that can have this data uploaded to the cloud to give the morons managment pretty graphs that they won't understand to look at.

        1. N2 Silver badge
          Trollface

          Re: Offsite scripts GAH!

          'Moron management'

          Love it, the new gold standard for clusterfucks a plenty.

          Pretty graphs, Ad words, hours of endless meetings & cliches a plenty.

          I'm off to pick some low hanging fruit.

          1. Anonymous Coward
            Anonymous Coward

            Re: Offsite scripts GAH!

            Cool. I'll put pin in it and we'll touch base again when you get back.

      2. Anonymous Coward
        Anonymous Coward

        Re: Offsite scripts GAH!

        Your law #1 does that apply to microcode inside your CPU too? Damn shame that is hidden from you to do your own audit eh?

        1. }{amis}{ Silver badge
          Stop

          Re: Offsite scripts GAH!

          Your law #1 does that apply to microcode inside your CPU too? Damn shame that is hidden from you to do your own audit eh?

          You are right that it is impossible to audit everything but when you are not even attempting to defend against proven attack vectors you have failed at security.

          Having script's that load untrusted 3rd party code on secure pages is at this point the equivalent of leaving the keys in the front door and wondering why you lost all of your stuff.

          1. Mark 85 Silver badge

            Re: Offsite scripts GAH!

            Having script's that load untrusted 3rd party code on secure pages is at this point the equivalent of leaving the keys in the front door and wondering why you lost all of your stuff.

            No, it's more like taking front door off the hinges and setting it aside.

            1. Anonymous Coward
              Anonymous Coward

              Re: Offsite scripts GAH!

              "No, it's more like taking front door off the hinges and setting it aside."

              No it isn't. It's like giving your keys to a cleaning company to clean your premises.

              IF you trust the cleaning company, and you believe the risk that a criminal will not join their company with a fake reference, and you believe that there isn't much risk that the cleaner will not let a stranger into your house, and you believe that the cleaner will not be mugged and your keys stolen then you are happy to do that.

              Therefore many people take that risk with a cleaning company but they might not give them keys to the cash room in the finance office.

              There is the opportunity to use specified hosted scripts if you understand the risks and have decided that they are acceptable. However using a link to an online library with no from some new startup is probably to be avoided, I would suggest.

              1. Alan Brown Silver badge

                Re: Offsite scripts GAH!

                "No it isn't. It's like giving your keys to a cleaning company to clean your premises."

                Except that you have a contract with a cleaning company and liability statements and both of you have liabilty insurance cover.

                You seldom, if ever have such contracts with 3rd party script providers and there's almost always explicit disclaimers of liability associated with them (ie, "you're on your own") - I do wonder what insurers will make of this when someone decides to get legal on the company whose website served up the links (My suspicion is "your insurance cover is void, we won't be covering your legal fees")

    4. nagyeger

      Re: Offsite scripts GAH!

      This,

      exactly.

      Why does my bank use 3 different off-site script sources on their login page? Do they want everyone's bank account hacked?

      1. Peter X

        Re: Offsite scripts GAH!

        Why does my bank use 3 different off-site script sources on their login page?

        Name and shame!

      2. cynic56

        Re: Offsite scripts GAH!

        Which bank please. I'm paranoid.

      3. Alan Brown Silver badge

        Re: Offsite scripts GAH!

        "Why does my bank use 3 different off-site script sources on their login page?"

        Perhaps because noone's gone through the courts and tested vicarious liability theories yet.

        IE: If it's served up from your page - you're liable

    5. Anonymous Coward
      Anonymous Coward

      Re: Offsite scripts GAH!

      Glory hole sex is a lot safer than off-site scripts.

      1. I'm like, Spartacus, dude.

        Re: Glory hole research

        Which is why, M'lud, I was undertaking extensive research into the aforementioned theory when I was rudely interrupted by Officer Perkins...

    6. Anonymous Coward
      Anonymous Coward

      Re: Offsite scripts GAH!

      And yet your PC and probably every one of your coworkers' and even your domain administrators' are doing just that right now and every day.

      1. J. Cook Silver badge
        Trollface

        Re: Offsite scripts GAH!

        I would like to point out that if the workstation is company owned, then It's not your computer to begin with, and you are being allowed to use it to perform company functions.

        At least that's the arguement that we respond with when people are whining about their workstations because we won't let them install Jumboautohackme.exe on their workstation because they like the pretty pretty colors it puts on the screen.

        (Disclaimer: I'm one of the domain admins for [RedactedCo], and I've had to actually use that argument regarding why we don't make world+dog local admins on their workstations to vendors and sundry.

    7. clanger9
      Facepalm

      Re: Offsite scripts GAH!

      Have a look at the TSB login page. Offsite resources include:

      we-stats.com

      clicktale.net

      online-metrix.net

      tiqcdn.com

      facebook.net (!)

      This is on a bank login page FFS! How many trackers do you need??

      At least they've removed the references to internal test servers that were present when they had their big meltdown earlier this year...

      1. macjules Silver badge

        Re: Offsite scripts GAH!

        @clanger9

        Why on earth would TSB want to not only include their Oracle Server Id (BancSabadell) but also their X-ORACLE-DMS-ECID (6876a6bb-2fce-48c3-b6f2-2c779f6af379-0026893f) in their response headers?

        Could this be a case of, "Haha, Hack us if you dare!"?

      2. Pen-y-gors Silver badge

        Re: Offsite scripts GAH!

        @Clanger9

        Have a look at the TSB login page. Offsite resources include:

        That got me interested. Just looked at the Lloyds login page:

        we-stats.com

        tiqcn.com

        webtrendslive.com

        All now blocked by ABP of course.

        And looking at the Network info from Webdeveloper in Firefox there are a lot of curious bits - cross-site scripting blocked to other subdomains? XML parsing errors? Some very curious "Firefox can't establish a connection to the server at wss://127.0.0.1:5900/"

        And am I the only one who is suspicious of GET requests that have a parameter of 500 bytes of hex?

        1. really_adf

          Re: Offsite scripts GAH!

          "Firefox can't establish a connection to the server at wss://127.0.0.1:5900/"

          IIRC there was an article here a while back that may explain this: part of tests to see if your computer/whatever looks like it has been compromised (VNC in this case.)

          Can't find it now but a web search on that URL looks like it might explain more...

      3. IneptAdept

        Re: Offsite scripts GAH!

        Ugh Tealium (tigcdn)

        What I would love to do to those marketing / data mining pieces of shit, last count in their DataObject they had over 1000 pieces of information

        Thats just 1, imagine if that is a low bar for what a lot of these companies gather

    8. Ian Michael Gumby Silver badge
      Boffin

      @hamish Re: Offsite scripts GAH!

      I think you bring up a good point.

      Someone builds a web page for a site and then includes a bunch of JS modules that call outside the organization... like calls to FB, Google, etc ... or they see a neat widget and its easier / faster to just implement it with no thought to security.

      That said. Many sites, including this one... call google,analytics and google tag services.

      Why? Surely El Reg can do their own site analytics...

      I have to ask why EL Reg does this along with every other major site.

      And people wonder why Google will always have better analytics and indexing than their competition.

      Now if only someone in Congress or the EU who deals with anti-trust lawsuits gets a clue ...

      I'd post this anon, but FFS, this should be common sense. Yet no reporter ever writes about this. *cough* *cough* (FREE CLUE HERE EL REG!)

      1. Anonymous Coward
        Anonymous Coward

        Re: @hamish Offsite scripts GAH!

        >Someone builds a web page for a site and then includes a bunch of JS modules that call outside the organization...

        Rant incoming. Only a f**king millennial "developer" (admittedly often enabled by older management) thinks its a good idea for a nightly build to pull in random shit off the internet. Of course they are going to do it at runtime too. Rant over.

  2. Wellyboot Silver badge

    Their Site

    Their responsibility.

    No excuses.

    1. I_am_not_a_number

      Re: Their Site

      True.

      But if you look more closely, it looks like their lawyers are positioning themselves using GDPR article 82(3):

      "A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage."

      And in doing so, lay the grounds for a potential counter claim to their processors, if that falls through:

      "... [controllers] shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage"

      1. Anonymous Coward
        Anonymous Coward

        Re: Their Site

        But "not in any way responsible" is not true in this case. The third party script is also unlikely to define itself as a data controller. If it was deemed by Ticketmaster to be a data controller then they would have had to do the risk analysis and the consultation with them to ensure their duties as a data controller. They would also have to notify the customers of their use of this third party data controller and gain data transfer agreements under one of the exceptions in GDPR.

        It could all get a bit messy if they go down the GDPR route.

        1. yoganmahew

          Re: Their Site

          @AC

          "It could all get a bit messy if they go down the GDPR route."

          Absolutely it could, it could end with TM being fined for sharing privileged information with unauthorised third parties. TM have stuck themselves into a choice of:

          1. It was us, sorry guv, QC issue on adding scripts.

          2. It was them, we sent them everyone's information and they unsurprisingly stole it, but we sent it, don't worry.

          Actually, 2 breaks PCI and PII rules too, never mind GDPR. TM have managed the insecure trifecta; the trilogy of swillogy; the trio of wankio.

        2. Anonymous Coward
          Anonymous Coward

          Re: Their Site

          Does it get messy?

          My understanding is that Tickemaster remain the data controller for their customers regardless of who they assign as processors.

          It's possible for the data controller to be prosecuted OR the data controller and the processor to be prosecuted (from https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/):

          * If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.

          * However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

        3. Doctor Syntax Silver badge

          Re: Their Site

          "It could all get a bit messy if they go down the GDPR route."

          It's the sort of attempted weaselling that'd likely to get them into top tier fines.

          1. Alan Brown Silver badge

            Re: Their Site

            "It's the sort of attempted weaselling that'd likely to get them into top tier fines."

            That depends on who their friends are.

            You and I might think that weaselling is a good reason to slap them harder, but weaselling is primarily a method for the Old Boys' Club to find a way of not slapping each other - and one of the problems with the UK civil service is that the Old Boys' Club still rules.

      2. gnasher729 Silver badge

        Re: Their Site

        If Ticketmaster included scripts on their website, then they are fully responsible to their users for the action of these scripts. Even if they didn't turn the scripts malicious. The only way they would be off the hook would be if they are "not in any way responsible". So just a little bit responsible would be enough.

        Sure, if Ticketmaster has to pay out damages, then they are absolutely entitled to recover their money from the creator or distributor of the malware. But that's their problem, not the problem of people visiting Ticketmaster's website.

    2. IceC0ld Bronze badge

      Re: Their Site

      it is difficult to see how Ticketmaster could say it is not responsible for the breach while keeping a straight face.

      ===

      THIS from a Co that takes the face value of any ticket as a starting point then doubles / trebles down on that, has had PLENTY of experience in keeping at least ONE of their faces straight .....................

      1. jelabarre59 Silver badge

        Re: Their Site

        THIS from a Co that takes the face value of any ticket as a starting point then doubles / trebles down on that, has had PLENTY of experience in keeping at least ONE of their faces straight .....................

        And there's the problem of a company that holds an effective monopoly on pretty much any and all event ticket sales these days (except for, *maybe* stage performances from your local ballet school).

        There's a reason we refer to them as "Ticketbastard".

  3. alain williams Silver badge

    El Reg forgot to mention ...

    that the Ticketmaster CEO claims that butter does not melt in his mouth.

    1. Anonymous Coward
      Flame

      When a CEO proclaims that his shit don't stink

      he should have to demonstrate this by publicly eating some of it.

      (which - at least metaphorically - happened in the wonderful "LifeLock" case: CEO boasted their system protected customers against identity theft, with the result described by the story title "LifeLock CEO's Identity Stolen 13 Times")

    2. Terje

      Re: El Reg forgot to mention ...

      Of course it doesn't melt, vampires are at ambient temperature!

  4. Dabooka Silver badge

    Just out of curiosity

    What did the Java 'customer support product' actually do? Clearly I don't mean the hacked code, I'm referring to the intended function of it.

    1. Captain Badmouth
      Happy

      Re: Just out of curiosity

      The page you are looking for :

      https://www.theregister.co.uk/2018/09/11/british_airways_website_scripts/

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019