Formjacking
What is Formjacking?
FormjackingAn attack in which malicious JavaScript intercepts form submissions in a victim's browser and sends the entered data to a server controlled by the attacker.
Formjacking targets any HTML form — login, checkout, account update — by hijacking its submission flow in the user's browser. The attacker compromises a vulnerable web application, an admin account, or a third-party script (chat widget, analytics, A/B-test tool) and inserts JavaScript that hooks the form's submit event or keyup handlers. Captured credentials, card numbers, addresses, or PII are exfiltrated to a remote endpoint while the legitimate request still completes, so users notice nothing. Magecart and the British Airways breach are textbook formjacking. Defences include Content Security Policy, Subresource Integrity, runtime client-side monitoring (Akamai Page Integrity, Jscrambler), and the PCI DSS v4.0 client-side script-integrity requirements.
● Examples
- 01
An injected script on a login page captures usernames and passwords as users submit them.
- 02
An attacker tampers with a Shopify checkout app and exfiltrates address and card data via a fake analytics beacon.
● Frequently asked questions
What is Formjacking?
An attack in which malicious JavaScript intercepts form submissions in a victim's browser and sends the entered data to a server controlled by the attacker. It belongs to the Attacks & Threats category of cybersecurity.
What does Formjacking mean?
An attack in which malicious JavaScript intercepts form submissions in a victim's browser and sends the entered data to a server controlled by the attacker.
How does Formjacking work?
Formjacking targets any HTML form — login, checkout, account update — by hijacking its submission flow in the user's browser. The attacker compromises a vulnerable web application, an admin account, or a third-party script (chat widget, analytics, A/B-test tool) and inserts JavaScript that hooks the form's submit event or keyup handlers. Captured credentials, card numbers, addresses, or PII are exfiltrated to a remote endpoint while the legitimate request still completes, so users notice nothing. Magecart and the British Airways breach are textbook formjacking. Defences include Content Security Policy, Subresource Integrity, runtime client-side monitoring (Akamai Page Integrity, Jscrambler), and the PCI DSS v4.0 client-side script-integrity requirements.
How do you defend against Formjacking?
Defences for Formjacking typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Formjacking?
Common alternative names include: Form skimming, Client-side form theft.
● Related terms
- attacks№ 642
Magecart Attack
A category of digital-skimming attacks in which criminals inject malicious JavaScript into e-commerce checkout pages to steal payment-card data as customers enter it.
- attacks№ 1229
Web Skimmer / E-Skimming
Malicious code injected into a website that steals payment-card or personal data as customers type it into the page.
- attacks№ 240
Cross-Site Scripting (XSS)
A web vulnerability that allows attackers to inject malicious scripts into pages viewed by other users, executing in the victim's browser under the site's origin.
- attacks№ 1116
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.
- identity-access№ 230
Credential Harvesting
The collection of usernames, passwords, tokens, and other authentication secrets at scale, usually for later account takeover or sale.
- compliance№ 807
PCI DSS
A global information-security standard for organizations that store, process, or transmit payment card data, maintained by the PCI Security Standards Council.