What is formjacking?

The Symantec article you are referring to is like this one.

Looking at the graphic:

graphic

Point 1 is what is generally the most interesting to security researchers, because that is where the vulnerability is.

Points 2 and 3 just show what might be possible with such a vulnerability. For example, JavaScript can be used in phishing attacks (show a fake form) or to read out any data the user enters into forms. This is what Symantec calls formjacking, but it's of course nothing new.

Their article also has a section "How are websites being compromised?", which will likely interest you.

Vulnerabilities do indeed include the option to change server-side code, though not necessarily of the main application, but especially in JavaScript dependencies.

Issues with including 3rd party JavaScript are of course nothing new either. Burp eg calls it Cross-domain script include, and OWASP warns about it as well. Including 3rd party scripts always requires complete trust in the 3rd party as well as trust in their security processes.

Why is formjacking the big deal

Good marketing on the part of Symantec?


Direct access to the server is not required

There are a number of ways that malicious javascript could end up on a webpage without the attacker having access to the server.

  • The author of the website might be linking to a library from an untrustworthy source
    • e.g. Web Developer A likes the image carousel on my-site.com and links directly to it - now the owner of my-site.com can modify that script whenever they like, potentially adding malicious code.
  • The author of the website might have copied some javascript from an untrustworthy source
    • e.g. Web Developer B is searching for a library to convert Celsius to Fahrenheit. They find a script on free.javascriptlib.zz which does the job, but don't notice it contains malicious code because the script itself is obfuscated.
  • The end user might sabotage themselves by using an untrustworthy browser extension or bookmarklet.
    • e.g. Alice has added a button to her browser which gives her an emoji keyboard, but it also inserts malicious code into the current page.
  • The end user might be the victim of DNS spoofing.
    • e.g. Bob's DNS lookup for https://code.jquery.com/jquery-3.3.1.min.js has been compromised, so it now delivers a version of jquery from an unsafe source which has had malicious code added.
  • ... etc. etc.

The other concern with these types of attack is that they can be difficult to detect. Javascript is executed client-side, and so none of these would raise flags about the site being compromised: it's unlikely that affected users would get any warning that their details have been stolen.


Regarding the British Airways vulnerability in particular, the BBC wrote an article speculating on the cause here: https://www.bbc.co.uk/news/technology-45446529

In it, they suggest that it was likely to be a third-party script and cite another example regarding Ticketmaster where "an on-site customer service chatbot was labelled as the potential cause".


I agree. Formjacking is not a vulnerability, but a type of attack, that can be executed if the attacker already has write-access to the webroot of the victim, or on the webroot of another site, that has full trust of the victim.

Therefore, Formjacking might also be an issue, if the victims webroot is safe, but they dynamically include third-party code or just try to serve ads, which also frequently leads to malformed trust relation ships.

Formjacking is interesting, as the victim of the attack is the customer of the company, the attacker is targeting and groups like Magecart have already earned quite some money with it.