top | item 18024748

(no title)

I am surprised that there is no automated alert to tell the webmaster that his code has changed on his website. Especially on the payments page!

With 50,000,000 users a month, surely they have a whole team working on checkout, all the time?

discuss

lacker|7 years ago

Code is supposed to change on the website all the time, though, when they run a deploy. Surely they do have a team working on checkout, but it isn't obvious how this would be detected. The article leaves out how they got the malicious javascript onto the page in the first place, though, so it's hard to say.

ryanlol|7 years ago

Do you have such automated alerts set up yourself? Do you know anyone with such alerts set up?

reaperducer|7 years ago

I do.

I have a tiny $5 Onion Omega2 on an independent cellular connection that checks file integrity on the production web servers every 15 minutes.

If the content of any of the files change, I get an e-mail.

If the alerts start coming in when I know I've just pushed a new version to production, the mail has a link that I can click that will re-scan all of the files and build new checksums.

If the alerts start coming in in the middle of the night, then I know something is up.

Obviously, this only works in small environments like mine where I'm the only one capable of updating the production servers. But it managed to catch a backdoor left in by the previous developer, who for some reason stored and updated his resume on the production server.

freddie_mercury|7 years ago

Whenever someone complains about another company's product, code, features, security....I always wish it was mandatory to include a link to the kind of software the poster is putting into production.

I can dream.

Glass houses and all that.

elorant|7 years ago

I have. I deploy in ASP.NET and get a hash of the uploaded DLL. I check it twice a day. Never had any incidents to this day but as the saying goes, it's better to be safe than sorry.