The British Airways Hack: JavaScript Weakness Pin-pointed Through Time-lining

Why Modernization Is Not A Good Thing

A few years ago I predicted that JavaScript would soon be a dead language as it has fossilized itself and was just so clunky to use. How wrong could I have been, in that it now rules the roost in terms of making Web pages more dynamic. But it is now opening up holes on the Internet, and it is suspected that it was behind the British Airways hack.

There was great speculation that the hack had been caused by JavaScript, as the company defined that they did not store CVV numbers, but released a statement after the initial incident report to say that they could have been involved in the data capture. This pointed towards a JavaScript injection attack, and where over 3 80,000 credit card details could have been breached.

The research team at RiskIQ found the clues to the JavaScript injection by noting the time frame of the hack, and then noticed that the modernizr-2.6.2.js file had been changed just two hours before the start of the date of the breach defined in the British Airways press release (20:49 GMT, 21 August, 2018). This file had not been changed since 2012.

It is thought that the Magecart hacking group had added just 21 lines of code to the file, and where the ba.com site…