🚨 Magecart Alert 🚨.A live Magecart skimmer on payment pages is exfiltrating credit card data in violation of PCI DSS. Script downloaded from: hxxps://meriksshadowfiend[.]top/moritz-ca/metrics.js. Sending stolen data to:.hxxps://pixelnotinggo[.]top/api/accept-metrics

Multiple shipped features this month 🤩.Full details on cside. dev/changelog.

What do you want to know?.

A browser extension can quietly remove critical security headers like CSP. No warning. No consent. You install an extension and suddenly, protections against data leaks and injections are gone. Should we make this an explicit opt-in?. Or will that see no adoption?

❗️We've identified a Magecart-like attack on the OpenCart CMS platform, mainly targeting East-Asian e-commerce websites.

This is what makes client-side attacks so dangerous. Dynamism is a sword that cuts both ways. Attacker leverage this to stay undetected for days, weeks and months.

Read our full report:.

Yesterday CoinMarketCap got struck by a substantial client-side attack. Impacting all logged in users to reauthenticate their wallet access, and inadvertently grating access to a bad actor.

Hello from Gartner!.Come visit us at booth 971 in the startup zone.

We analyzed an attack on a Magento-based eCommerce site. The injection technique used hides in plain sight as the attacker is using ‘Google .com’ to deliver and execute their own code.

We’re at InfoSec all week!.Booth B133, come say hi!

Thanks for having us @eChannelNews!.

A new attack found in Progressive Web Apps (PWAs). They are browser-based too after all, and are also targets in client-side attacks.

If you’re serious about client-side security, you need runtime protection that sees what scripts actually do in your users' browsers. CSP is like locking your front door while leaving the windows wide open.

If you believe “strict CSP” is enough, look at Magecart, PII leaks, or the rise of fake browser updates. CSP couldn't save them, and neither will it save you.

"But we use CSP so we're fine". ❌ No, you’re not. CSP was designed to protect you from things like XSS. But in reality, a CSP is blind as a bat. If you trust a vendor’s domain, CSP lets it right through. If that vendor gets compromised? CSP shrugs.

Thanks people at BSides and RSAC!.After the conferences, we hosted a rooftop afterparty for +500 people. A great way to close out the week. Thanks to @SocketSecurity, @arcjethq and @incident_io for co-hosting with us 💙

Here is how they tried it (and failed):.

Here is how they tried it (and failed):.

RT @Bandrew: Must-read cybersecurity story by @bobbie in latest @WIRED about portfolio CEO @SimonWijckmans of @csideai discovering a deeply….

A few months ago we found North Korean operators trying to infiltrate our company. In collaboration with WIRED, we underwent thorough investigation and wrote our full story:.