Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Gotta love the completely superfluous dig at Cloudflare. As if providing the client IP is what enabled the attack. That was probably the least interesting part of the attack. Cheap shot Akamai.


I feel like it isn't a dig at all:

> The skimmer uses a Cloudflare API in order to get the end-user IP address.

They described what the script does in detail, and that's part of what it does.


I agree. It would be weird to document the call to a 3rd party source without explaining it.


"Cheap shot". Yes.

Also no mitigation suggested other than CSP for which "A lot of CSP policies don't..." Which is a suggestion to use CSP correctly, in a backhanded way.

It is a sales pitch plus an info-sec report.


They do suggest a mitigation: Akamai Page Integrity Manager, which they say is proven effective against this attack. I wish they'd have stated if they had to make an update to PIM for it to recognize this attack, or if it worked as-is (as-was). The lack of such statement, given that this is a sales blog, strongly suggests they had to update PIM.

Indeed it's a bit of a cheap shot since they could have gotten the ip via whatismyip.com or any other innumerable ways. It just happened to use CF, which I'm sure they were jumping in joy about since they get to do a direct compare against CF: Akamai has PIM, CF does not.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: