The Bad Guys Win – Analysis of 10,000 Magecart Vulnerabilities

Conference:  BlackHat USA 2021



The presentation discusses the limitations of current anti-magecard solutions and proposes the use of browser native mechanisms as a more effective approach.
  • Current anti-magecard solutions have scalability problems and cannot detect all types of attacks
  • Hackers can generate false positives and monitoring cannot catch targeted attacks
  • Browser native mechanisms, such as content security policy and script integrity, can be more effective but require careful manual or semi-automated deployment
  • The presentation provides an anecdote of a successful magecard attack on a compromised third party despite the use of anti-magecard solutions
  • The speaker suggests that browser vendors should provide more tools to protect against magecard attacks
The speaker provides an example of a successful magecard attack on a compromised third party, despite the use of anti-magecard solutions. The attack involved modifying the response from the third-party script to include attack code, which was then carefully monitored by the hacker. The client-side solutions used by the organization were unable to detect the attack, and the hacker was able to exfiltrate data without being detected. This illustrates the limitations of current anti-magecard solutions and the need for more effective approaches.


"Magecart" is the common name for an attack in which hackers compromise 3rd party Javascript code to steal information from web-applications or websites that incorporate the code.Over the last two years, we monitored the web for vulnerabilities in online infrastructures that enable Magecart attacks or are leveraged in Magecart attacks. Our research also included monitoring additional methods to abuse third-party scripts and bypass the various defense mechanisms that have been put in place to stop these attacks. During this research, we encountered tens of thousands of vulnerable assets, including those owned by governments and global enterprises. Our conclusion from the analysis is that there is no simple solution to defeating Magecart.In our presentation, we will go through real-world examples which demonstrate how hackers exploit these vulnerabilities in order to identify the scale of the challenge. We will review common defense approaches that exist today and show why they are not effective. In this defense analysis, we explain the hackers' approach against client-side solutions and why hackers have the upper hand, especially in the context of the enterprise environment. Additionally, we will walk-through a script-less Magecart variant that allows malicious code to execute without modifying scripts, and will present a novel technique to bypass native browser-based defenses as used by enterprises.We will present real world examples (that have not been published so far) that affected thousands of companies and will present indications to the fact that vendors do not disclose vulnerabilities to affected companies. Although the situation is not encouraging, there are actions that could be taken to protect organizations and we will present them, as well as summarizing the effectiveness of the different approaches against today's hackers (pros & cons).