Security Market Segment LS
Saturday, 30 June 2018 05:44

UK researcher says one line of code caused Ticketmaster breach Featured


Well-known British security researcher Kevin Beaumont says the breach of the British operations of American multinational ticket sales and distribution company Ticketmaster, that has led to the possible leak of tens of thousands of credit card details, was caused by the incorrect placement of a single line of code.

As iTWire  reported, Ticketmaster UK blamed third-party supplier Inbenta Technologies for the incident. Inbenta, in turn, said that the breach had been caused by Ticketmaster directly applying a customised piece of JavaScript without notifying its (Inbenta's) team.

Beaumont said Inbenta was providing a chat bot for website developers "by providing a single line of HTML which calls a JavaScript from Inbenta’s Web server. JavaScript allows controlled code execution via a website, for example to redirect traffic from forms, or run a chatbot assistant".

He pointed out that while Inbenta had provided Ticketmaster a customised JavaScript one-liner, the ticketing company had placed this chatbot code on its payment processing website without informing Inbenta it had done so.

"This means that Inbenta’s webserver was placed in the middle of all Ticketmaster credit card transactions, with the ability to execute JavaScript code in customer browsers," Beaumont said.

This code had been altered by some malicious person back in February and the problems began at that point, he said.

"(Digital bank) Monzo provided a timeline around how they discovered fraudulently Mastercard transactions tied to Ticketmaster in April 2018, including a visit from Ticketmaster," Beaumont added.

"Ticketmaster’s statement, by contrast, says they discovered the issue in June 2018  –  I presume two months was taken to identify the issue being the Inbenta integration."

Beaumont sounded a warning over this kind of random use of JavaScript without knowing the implications. "...Web developers should be extremely careful what third-party JavaScript code is placed within the payment and personal information processes of their sites," he said.

"Businesses should make a risk assessment around this  –  not just due diligence, but seriously assess the risk and impact of a breach of a third party on their business.

"I’ll give you a spoiler: the risk is very real  –  this isn’t the first time this has happened, somebody who works for PCI (payment card industry) post-breach assessment told me that over 75% of all Web store breaches they assessed at large enterprises happened due to this reason, a massive increase. The impact is huge –  for example, attackers can read and store CCV numbers on cards via JavaScript, as they are ‘live’ in the customer Web browser."

Beaumont said that while companies were investing in PCI standards, compliance, risk, resourcing and encryption, attackers were looking for other links in the chain that they could exploit.

"Cracking AES encryption? Not happening soon," he said. "Breaking into the webserver of a chatbot provider? Yes, that is happening. As Inbenta point out in their incident report, a single line of HTML code in Ticketmaster’s website led to this issue.

"The canary is dead. Check your supply chain. Because attackers are."

Adenike Cosgrove, who is in charge of cyber security at security firm Proofpoint, told iTWire that the Ticketmaster incident was one of the first major international breaches of EU personal data reported after the GDPR enforcement date.

She said this made it "a case to watch with regard to consequences. Questions will be asked first and foremost about how sensitive personal data including payment information was shared, unencrypted, with a third-party application".

Damien Manuel, chairman of the lobby group Australian Information Security Association, commended Ticketmaster "for disclosing the data breach quickly and providing notification to affected customers encouraging them to be vigilant and check for fraudulent credit card transactions".

"This latest incident highlights the need for supply chain governance, as cyber criminals are now attacking the weakest points in the supply chain to gain access to data that can be monetised. The banking sector is very mature in this space and under APRA (Australian Prudential Regulation Authority) requirements, regular security audits are performed across the supply chain."

Read 19588 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


If you're looking at enabling Microsoft Teams for your contact centre, you should bookmark this webinar.

Marketing budgets are now focused on Webinars combined with Lead Generation.

Our panellists from Whangarei District Council (NZ) and Maurice Blackburn Lawyers (Aus) were closely involved in recent projects to enable Microsoft Teams for their own contact centres.

They have kindly agreed to join Enghouse and Microsoft to talk about some of the things they would recommend as most critical for IT and CX professionals planning a Teams Contact Centre migration.

Date: 11 May 2022
Time: 12pm AEST | 2pm NZST | 10am SGT

We look forward to having you join us. Please click the button below to register.



The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News