The Hack of British Airways: 21 lines of JavaScript

The British Airways Hack: JavaScript Weakness Pin-pointed Through Time-lining


Why Modernization Is Not A Good Thing

A few years ago we predicted that JavaScript would soon be a dead language as it has fossilized itself and was just so clunky to use. Now, however, it’s opening up holes on the Internet, and it is suspected that it was behind the British Airways hack.

There was great speculation that the hack had been caused by JavaScript, as the company defined that they did not store CVV numbers, but released a statement after the initial incident report to say that they could have been involved in the data capture. This pointed towards a JavaScript injection attack, and where over 80,000 credit card details could have been breached.

The research team at RiskIQ found the clues to the JavaScript injection by noting the time frame of the hack, and then noticed that the modernizr-2.6.2.js file had been changed just two hours before the start of the date of the breach defined in the British Airways press release (20:43 GMT, 21 August, 2018). This file had not been changed since 2012.

It is thought that the Magecart hacking group had added just 21 lines of code to the file, and where the site was a heavy usage of JavaScript.H ere we can see the integration of Modernizr [code]:


It is likely that the hackers had access to the site, and modified the code in order to insert a backdoor.

Modernizr is a JavaScript library for enhanced interaction, but was modified to capture data from the payment form, and send the data onto a server located in Romania. The code itself was built on the standard code:


Overall the hackers modified the modernizr-2.6.2.min.js script so that it captured a mouse event, and then gathered the form data and sent it to (and where it even had a digital certificate on the site):


Both the mobile application and the Web pages used this back-end JavaScript, and thus both were compromised. X-option headers and CSP code integration are one way to enhance the detection of code injection, but, unfortunately, the site achieves a lowly D grade on its integration of these methods [scan] with only iframe injection being detected:


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.