cside

📅 March 26th at 1pm EST | Live Webinar with @csideai! Join us to learn how issuer expectations are changing, what stronger dispute evidence looks like today, and how to better protect revenue. Register free: hubs.li/Q046J9Vr0 #Chargebacks | #Payments

Observing a surge in client-side fetches happening to msclairty[.]com hijacking referral tokens. Still unclear of the extension responsible but judging by the volume it must be top one of the 5000 browser extensions.

🚨 Magecart Alert 🚨 A live Magecart skimmer on payment pages is exfiltrating credit card data in violation of PCI DSS. Script downloaded from: hxxps://meriksshadowfiend[.]top/moritz-ca/metrics.js Sending stolen data to: hxxps://pixelnotinggo[.]top/api/accept-metrics

Multiple shipped features this month 🤩 Full details on cside. dev/changelog.

A browser extension can quietly remove critical security headers like CSP. No warning. No consent. You install an extension and suddenly, protections against data leaks and injections are gone. Should we make this an explicit opt-in? Or will that see no adoption?

❗️We've identified a Magecart-like attack on the OpenCart CMS platform, mainly targeting East-Asian e-commerce websites cside.dev/blog/magecart-…

This is what makes client-side attacks so dangerous. Dynamism is a sword that cuts both ways. Attacker leverage this to stay undetected for days, weeks and months.

Read our full report: cside.dev/blog/coinmarke…

Yesterday CoinMarketCap got struck by a substantial client-side attack. Impacting all logged in users to reauthenticate their wallet access, and inadvertently grating access to a bad actor.

Hello from Gartner! Come visit us at booth 971 in the startup zone.

We analyzed an attack on a Magento-based eCommerce site. The injection technique used hides in plain sight as the attacker is using ‘Google .com’ to deliver and execute their own code. cside.dev/blog/weaponize…

We’re at InfoSec all week! Booth B133, come say hi!

Thanks for having us @eChannelNews! e-channelnews.com/c-side-client-…

A new attack found in Progressive Web Apps (PWAs). They are browser-based too after all, and are also targets in client-side attacks. cside.dev/blog/chinese-a…

@Surajkumar_747 @devlooskie Please apply here :) cside.dev/careers

@devlooskie @csideai I am interested and below are my credentials -> Portfolio - portfolio-sigma-black-25.vercel.app GitHub - github.com/Surajkumarjha07 LinkedIn - linkedin.com/me?trk=p_mwlit…

we're hiring a fullstack engineer @ @csideai! if you: - are obsessed with creating polished UI - love working with ts, react, tailwind, and graphql - willing to solve unique problems - want to learn about the deep-ends of the web c/side is for you 👉 cside dot dev/careers

If you’re serious about client-side security, you need runtime protection that sees what scripts actually do in your users' browsers. CSP is like locking your front door while leaving the windows wide open.

If you believe “strict CSP” is enough, look at Magecart, PII leaks, or the rise of fake browser updates. CSP couldn't save them, and neither will it save you.

"But we use CSP so we're fine" ❌ No, you’re not. CSP was designed to protect you from things like XSS. But in reality, a CSP is blind as a bat. If you trust a vendor’s domain, CSP lets it right through. If that vendor gets compromised? CSP shrugs.

Thanks people at BSides and RSAC! After the conferences, we hosted a rooftop afterparty for +500 people. A great way to close out the week. Thanks to @SocketSecurity, @arcjet and @incident_io for co-hosting with us 💙