Ticketmaster security breach caused by JavaScript on payments page

Bespoke JavaScript code shouldn't have been run on a payments page, says Inbenta CEO Jordi Torras

Inbenta, the company Ticketmaster hinted was the cause of the security breach that spilt the credit-card details of 40,000 customers, has blamed Ticketmaster for the incident.

Jordi Torras, CEO of Inbenta, accused Ticketmaster of adopting an insecure practice by running bespoke JavaScript coded by Inbenta on its payments page.

Torras rejected the implication that Inbenta had been compromised in any way and told Computing that the JavaScript hadn't been intended to run on something as sensitive as a payments page.

Had we known that JavaScript would have been used in that way, we would have advised against it, as it poses a security threat

"We can confirm with 100 per cent certainty that no data was taken from our servers and no other customers other than Ticketmaster were affected. The JavaScript we created specifically for Ticketmaster was used on a payments page, which is not what we built it for.

"Had we known that JavaScript would have been used in that way, we would have advised against it, as it poses a security threat. We are deeply sorry for anyone affected by the breach, and we are absolutely certain that no other customers of Inbenta have been hacked," said Torras.

In a statement on the company's website, Torras added that his company received notification of the breach from Ticketmaster on Saturday evening.

"Upon further investigation by both parties, it has been confirmed that the source of the data breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster's particular requirements. This code is not part of any of Inbenta's products or present in any of our other implementations.

"Ticketmaster directly applied the script to its payments page, without notifying our team.

"Had we known that the customised script was being used this way, we would have advised against it, as it incurs greater risk... The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018."

After being notified, Inbenta conducted its own code audit of both general and customised scripts and concluded that only Ticketmaster was compromised - directly as a result of Ticketmaster's own actions.

The source of the compromise was the alteration of three files affecting three specific websites run by Ticketmaster

"We can fully assure our customers and end-users that no other implementation of Inbenta across any of our products or customer deployments has been affected," the company asserted.

The source of the compromise was the alteration of three files affecting three specific websites run by Ticketmaster. The JavaScript is hosted by Inbenta and embedded on customers' websites, enabling it to add new capabilities quickly and flexibly.

However, Inbenta cannot monitor the particular pages on which customers embed its technology.

In a FAQ published by Inbenta, the company indicated that it will modify this strategy so that in future "all the customised snippets and JavaScript files are solely hosted by our customers, so Inbenta's technology will be solely accessed by our secured, standard RESTful API".

Earlier today, start-up bank Monzo also pointed the finger of blame at Ticketmaster, claiming that it informed the company of a security breach in April. Ticketmaster, however, told Monzo a week later that its investigation hadn't uncovered a breach.