
Keyloggers Injected in Web Trust Seal Supply Chain Attack - tastroder
https://www.bleepingcomputer.com/news/security/keyloggers-injected-in-web-trust-seal-supply-chain-attack/
======
theandrewbailey
Third-party Javascript considered harmful. Use SRI!

[https://developer.mozilla.org/en-
US/docs/Web/Security/Subres...](https://developer.mozilla.org/en-
US/docs/Web/Security/Subresource_Integrity)

------
rtempaccount1
Another in the growing line of supply chain attacks. It's inevitable that as
primary sites improve their security, attackers will seek to exploit other
elements in the chain that might present easier targets.

Given the number of 3rd party JavaScript files that commonly get loaded for
things like tracking and analytics, it seems likely we'll see more of these
kinds of sites getting targeted.

------
ga-vu
Only 100 sites impacted:
[https://publicwww.com/websites/%22d20iczrsxk7wft.cloudfront....](https://publicwww.com/websites/%22d20iczrsxk7wft.cloudfront.net%2Fbotwverified%2Fbadge.js%22/)

Appears these seals have died out.

~~~
rtempaccount1
Glad to see they're dying out, they really did seem to me like an example of
Security Theatre.

~~~
tyingq
These particular ones are $29.95/month, and don't appear to include any sort
of scanning, verification, etc. So there's not even a "theater level" attempt
to relate to security.

------
codezero
I use dnscrypt and log all my DNS queries, I'm pretty relieved to see that
I've never looked up the domain used to exfiltrate the data! Gist of the
unobfuscated code is here:
[https://gist.github.com/gwillem/4403a9caf6877d6276cf6fe834a0...](https://gist.github.com/gwillem/4403a9caf6877d6276cf6fe834a0b48a)

------
dontbenebby
Trust seals are easily faked and train users to trust in band signaling (eg
images of locks etc to mimic HTTPS, logos etc) instead of paying attention to
the URL bar.

They should be considered harmful with or without malicious javascript.

------
runnr_az
Isn't it ironic, dontcha think?

