I’m harvesting credit card numbers and passwords from your site. Here’s how.


239 bookmarks. First posted by sptz45 12 days ago.


The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all. It’s been a frantic week of security scares — it seems like every day there’s a new…
security  javascript  web 
13 hours ago by dstelow
A modern-day "on trusting trust".
javascript  security  npm  web 
2 days ago by dagh
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all. It’s been a frantic week of security scares — it seems like every day there’s a new vulnerability.
4 days ago by pitiphong_p
Weak web technologies
security  javascript  web  npm  csp  package  hack  via:popular 
5 days ago by rauschen
wow, how easy is it to steal credit card info
encryption  contenSecurityPolicy  hacking  npmHacks 
6 days ago by ElliotPsyIT
"If an attacker successfully injects any code at all, it’s pretty much game over"

very entertaining read; hilariously scary!
xss  hack  npm 
6 days ago by stijn
It's still far too easy to be insecure. Especially node. Thinking about build your own vs using plugins.
hacking  web  javascript  node 
6 days ago by traggett
Ah, folks? About this thing…
security  from twitter
6 days ago by ZacharyAKlein
Recommended reading on @Medium
from instapaper
6 days ago by arakno
I’m harvesting credit card numbers and passwords from your site. Here’s how.
from twitter
6 days ago by seanreiser
Lucky for me, we live in an age where people install npm packages like they’re popping pain killers.
javascript  security  web 
7 days ago by whip_lash
So, it is with a heavy heart that I’ve decided to come clean and tell you all how I’ve been stealing usernames, passwords and credit card numbers from your sites for the past few years.
web  security  dev 
7 days ago by Volgar
via a fictional npm module being clever
security  javascript 
7 days ago by christine.y
I’m harvesting credit card numbers and passwords from your site. Here’s how.
from twitter
8 days ago by RBaumier
My goal (as it turns out) is simply to point out that any site that includes third party code is alarmingly vulnerable, in a completely undetectable way.
web  security  javascript  packages 
8 days ago by mirthe
On any page that collects any data that you don’t want me (or my fellow attackers) to have, don’t use npm modules. Or Google Tag Manager, or ad networks, or analytics, or any code that isn’t yours.
javascript  security  web  programming 
8 days ago by soobrosa
Nice idea to inject evil code in other people’s sites.
security 
8 days ago by ssp
There’s no shortage of smart, nasty people out there, and 400,000 npm packages. It seems to me that the odds are better than even that at least one of those packages has some malicious code in it, and that if it’s done well, you would never even know.

And here’s an interesting thought experiment: I wrote an npm package last week, a little easing function. Totally unrelated to this post and I give you my word as a gentleman that there is nothing malicious in there. How nervous would you be adding that to your site?
javascript  webdev  security 
8 days ago by lehmannro
RT : Glorious example of being a sneaky fuck. Acceptance that you’ve probably already been hacked is the first step.
from twitter_favs
8 days ago by stevelacey
"So, it is with a heavy heart that I’ve decided to come clean and tell you all how I’ve been stealing usernames, passwords and credit card numbers from your sites for the past few years."

Oy vey.
javascript  security 
8 days ago by davewsmith
obfuscated jsfiddles in npm.
boom.
security  javascript 
9 days ago by jojobong
interesting article
security  javascript  web  npm  csp  via:popular 
9 days ago by lokifoo
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all.
csp  javascript  npm  security  web 
9 days ago by Gwendoux
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all. It’s been a frantic week of security scares — it seems…
from instapaper
9 days ago by Aetles
I’ve decided to come clean and tell you all how I’ve been stealing usernames, passwords and credit card numbers from your sites for the past few years
9 days ago by SecurityFeed
“I’m harvesting credit card numbers and passwords from your site. Here’s how.” by @D__Gilbertson
9 days ago by adamliptrot
RT : 数年間に渡ってオープンソースの npm module を使って、credit card 番号と password を盗み続けていたハッカー・・・がいたら怖いよねって言う啓蒙記事
from twitter
9 days ago by maet
My goal (as it turns out) is simply to point out that any site that includes third party code is alarmingly vulnerable, in a completely undetectable way.
security  web_dev 
9 days ago by zephyr777
I’m harvesting credit card numbers and passwords from your site. Here’s how.
from twitter
9 days ago by karsh
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all. It’s been a frantic week of security scares — it seems like every day there’s a new vulnerability.
IFTTT  Pocket 
9 days ago by deepblue
Excellent walk through of the potential dangers of third party code:
from twitter
10 days ago by aiwilliams
The following is a true story. Or maybe it’s just based on a true story. Perhaps it’s not true at all. It’s been a frantic week of security scares — it seems like every day there’s a new…
javascript  security  csp  npm 
10 days ago by tedw