Basic software security, lesson #1: You are only as secure as the weakest point in your system.
It’s a valuable lesson. Earlier this year Barclays made a big show of security, even going so far as to mail two-factor authentication devices to their customers in an attempt to prevent online banking fraud. That’s a big investment.
Unfortunately for Barclays, it doesn’t matter, and their money was wasted. Because if you want to compromise the computers of Barclays account holders, there’s no need to circumvent the giant, thoroughly-audited security schemes that are almost certainly in place. Nope, you just need to compromise their analytics provider.
That’s right, every page load from your “private”, “secure” banking pages is also communicating directly with Webtrends’ servers. And worse, Webtrends get to run code within the page, putting you totally at their mercy. If an angry Webtrends employee wants to harvest your banking data, he needs only change that javascript without alerting Barclays first. If you google “webtrendslive”, by the way, you’ll notice that malware reports actually outrank the actual product site. It’s a nice touch.
Anyway. Looks fine, right? They’re just including a local script from the /f directory. No. The script they’re pulling from a local file is in fact writing a new script tag to the document, which will load a script from an external server. Take a look:
// THIS IS ALL INNOCENT ENOUGH
var gDomain="statse.webtrendslive.com";
var gDcsId="REDACTED";
var gFpc="WT_FPC";
var gConvert=true;
var gFpcDom=".barclays.co.uk";
// WELL, IT'S ONLY BANKING INNIT. THE SECURITY MODEL ONLY
// PREVENTS YOU FROM DOING THIS SO YOU DON'T LOSE YOUR
// MYSPACE PASSWORD.
if ((typeof(gConvert)!="undefined")&&gConvert&&(document.cookie.indexOf(gFpc+"=")==-1)&&(document.cookie.indexOf("WTLOPTOUT=")==-1)){
document.write("<SCR"+"IPT TYPE='text/javascript' SRC='"+"http"+(window.location.protocol.indexOf('https:')==0?'s':'')+"://"+gDomain+"/"+gDcsId+"/wtid.js"+"'><\/SCR"+"IPT>");
}Why does it have to do this, you ask? Because the browser security model specifically prevents you from making off-site requests in this way to protect the user from, oh, script injection vulnerabilities and having their details pinched by dastardly or inept external script providers. But this is only banking, right? S’probably fine to just ignore the reasons not to do it and go ahead with it. It’s not like you can assess your stats by analyzing your own logs or anything.
Basic software security, lesson #1: You are only as secure as the weakest point in your system.
It’s a valuable lesson.
