Quiz Entry - updated: 2026.07.05
How did the British Airways breach demonstrate the danger of third-party JavaScript?
~380,000 cards were skimmed by 22 lines of malicious third-party JavaScript (2018) — a Content Security Policy and Subresource Integrity would have blocked it.
380,000 credit cards stolen with just 22 lines of injected JavaScript (2018).
Attack mechanism:
- Malicious script captured payment form data on submission
- Sent copies to attacker's server (
baways.com— typosquat domain) - Used TLS encryption to blend in with legitimate traffic
- Didn't disrupt checkout flow — users noticed nothing
Why it worked:
- Website allowed external JavaScript execution
- No Content Security Policy (CSP) to restrict script sources
- No Subresource Integrity (SRI) to verify script contents
- Payment data processed client-side before submission
Prevention:
- Strict CSP headers limiting script sources
- SRI hashes for all external scripts
- Server-side payment processing (don't expose card data to client JS)
Go deeper:
British Airways data breach (Wikipedia) — the 2018 Magecart skimmer, ~429k affected, and the GDPR fine.