An analysis of the British Airways payment page shows that the site is loading files from seven external domains that have little or nothing to do with payment processing, according to a security expert.
He found scripts from seven different domains apart from britishairways.com were being loaded. These included files used for tracking, analytics, customer service and A/B testing. "These should not be present on web pages processing customer card data," Greenwood wrote in an article on Medium.
It would be a violation of Payment Card Industry Data Security Standards (PCI DSS) which says only files necessary to the processing of payments should be loaded into pages that take credit card data.
British Airways discovered on Wednesday that it had been breached. The airline revealed that 380,000 customer records containing credit card details had been taken in the attack. Following the breach announcement on Thursday, British Airways pledged to fix the issue to secure customer credit card data.
Greenwood said that payment card details – including the credit card number, expiry date and CVV number – should be isolated in an iframe to prevent third-party scripts from being able to read the form fields but, crucially, this was not being done on the BA payment page.
An independent check by SC on 8 September confirmed this.
Hackers got CVV2 numbers. So either a) BA were storing CVV2 against PCI regs b) they weren’t using SSL somewhere and there was a man in the middle attack or c) XSS. Given third party Js code on the payment page and not using iframe protection, that strongly points to XSS— Paul Lomax (@PaulLomax) September 8, 2018
Alan Woodward, visiting professor in the computer science department at the University of Surrey, told SC that a likely attack scenario is the compromise of a third-party software script, similar to the attack that compromised Ticketmaster.
Greenwood said that according to PCI DSS rules, cross-site scripting flaws are grounds for automatic failure during vulnerability scans by approved scanning vendors (ASVs). Guidance for ASVs states that the scan solution must be able to detect current vulnerabilities and configuration issues based on lists compiled by organisations such as OWASP or SANS.
The guidance states that the scan must be able to detect "Cross-site scripting (XSS) flaws (which must be marked as an automatic failure)".
PCI DSS require merchants to ensure all unnecessary functionality such as scripts have been removed from the payment page and to address common coding vulnerabilities in the software-development process that would allow third-party controlled systems to inject code into the page.
- Top tip: If you are using Chrome as your browser, to view scripting and domain information on web payment pages, hit the F12 button to open developer tools and click on the Sources tab.
Greenwood criticised the steps BA took to remediate the flaws in its payment page. "I think it is quite clear that whatever BA have done to ‘fix the issue’ is insufficient to protect the security of cardholder data," he said.
British Airways did not respond to SC's request for comment.