9 comments

[ 3.6 ms ] story [ 40.0 ms ] thread
Isn't it ironic, dontcha think?
Another in the growing line of supply chain attacks. It's inevitable that as primary sites improve their security, attackers will seek to exploit other elements in the chain that might present easier targets.

Given the number of 3rd party JavaScript files that commonly get loaded for things like tracking and analytics, it seems likely we'll see more of these kinds of sites getting targeted.

  3rd party JavaScript files 
  that commonly get loaded for 
  things like tracking and 
  analytics
Oh no! Not the megabytes upon megabytes of tracking scripts!

What will we do without the tracking scripts???

Trust seals are easily faked and train users to trust in band signaling (eg images of locks etc to mimic HTTPS, logos etc) instead of paying attention to the URL bar.

They should be considered harmful with or without malicious javascript.