Jason Muskat de VE3TSJ - GCFA, GCUX, CEI, CEH
22/11/07, 11:38
Hello,
I have seen many web-sites include Javascript hosted by 3rd parties
especially over the last year. It seems that 3rd parties use this fact
in their marketing to convince others that this is good. The 3rd
parties usually don't provide any security assurances or evaluations.
One should consider the 3rd party as less secure then for example a
highly federally regulated entity unless the 3rd party can produce
documentation and certified audits to the contrary.
The majority of 3rd party hosted Javascript includes are related to
"marketing", "security seals" or such and not part of the prime
functionalities (why a customer is there). While placing such 3rd
party hosted Javascript on sensitive web-pages is clearly a huge
unneeded security risk one should further understand that including
any 3rd party hosted Javascript on any page allows the 3rd party full
unrestricted access to the web-page's full DOM. This allows the 3rd
party to fully control all content, links, forms, images, cookies,
frames, and such at will.
If an attacker changes the included 3rd party Javascript, it would be
trivial for the attacker to leverage a phishing site to whatever means
the attacker wished. If the attacker used AJAX the possibilities are
almost endless. It's unfortunate that it is the customer in the end
that is the one accepting the risks not the company itself. After all
when your information and money is transfered to the attacker, they
win, you lose (the information can never be not taken), and the
company does not blink an eye. I would advise you to reevaluate your
relationship with any organization that is careless with security,
privacy, what in the end is your data, money, and life.
Regards,
--
Jason Muskat de VE3TSJ | GCFA, GCUX, CEI, CEH
____________________________
TechDude
e. Jason@TechDude.Ca
m. 416 .414 .9934
http://TechDude.Ca/
On 19-Nov-07, at 10:39 PM, joel@peshkin.net wrote:
> In a recent chnage, wellsfargo.com started to include javascript
> delivered by akamai.net within sensitive pages, such as their login
> page.
>
> Since any script loaded by the page has access to all the page data,
> that script could steal passwords very easily. Loading the script
> via a CDN reduces the banks security to the level of security
> provided by the CDN. I doubt that banking regulators would approve.
>
> An attack on akamai or an insider there could access all
> wellsfargo.com bank accounts.
>
> This is the equivalent of noticing that the bank's vault has another
> door and connects to the candy shop next door. Sure the candy shop
> is owned by a nice guy who locks his door at the end of the day, but
> I don't expect my bank to rely on him for security.
>
> This was reported to wellsfargo security on November 17. They
> assure me that the padlock icon on the browser means everything is
> just fine.
>
I have seen many web-sites include Javascript hosted by 3rd parties
especially over the last year. It seems that 3rd parties use this fact
in their marketing to convince others that this is good. The 3rd
parties usually don't provide any security assurances or evaluations.
One should consider the 3rd party as less secure then for example a
highly federally regulated entity unless the 3rd party can produce
documentation and certified audits to the contrary.
The majority of 3rd party hosted Javascript includes are related to
"marketing", "security seals" or such and not part of the prime
functionalities (why a customer is there). While placing such 3rd
party hosted Javascript on sensitive web-pages is clearly a huge
unneeded security risk one should further understand that including
any 3rd party hosted Javascript on any page allows the 3rd party full
unrestricted access to the web-page's full DOM. This allows the 3rd
party to fully control all content, links, forms, images, cookies,
frames, and such at will.
If an attacker changes the included 3rd party Javascript, it would be
trivial for the attacker to leverage a phishing site to whatever means
the attacker wished. If the attacker used AJAX the possibilities are
almost endless. It's unfortunate that it is the customer in the end
that is the one accepting the risks not the company itself. After all
when your information and money is transfered to the attacker, they
win, you lose (the information can never be not taken), and the
company does not blink an eye. I would advise you to reevaluate your
relationship with any organization that is careless with security,
privacy, what in the end is your data, money, and life.
Regards,
--
Jason Muskat de VE3TSJ | GCFA, GCUX, CEI, CEH
____________________________
TechDude
e. Jason@TechDude.Ca
m. 416 .414 .9934
http://TechDude.Ca/
On 19-Nov-07, at 10:39 PM, joel@peshkin.net wrote:
> In a recent chnage, wellsfargo.com started to include javascript
> delivered by akamai.net within sensitive pages, such as their login
> page.
>
> Since any script loaded by the page has access to all the page data,
> that script could steal passwords very easily. Loading the script
> via a CDN reduces the banks security to the level of security
> provided by the CDN. I doubt that banking regulators would approve.
>
> An attack on akamai or an insider there could access all
> wellsfargo.com bank accounts.
>
> This is the equivalent of noticing that the bank's vault has another
> door and connects to the candy shop next door. Sure the candy shop
> is owned by a nice guy who locks his door at the end of the day, but
> I don't expect my bank to rely on him for security.
>
> This was reported to wellsfargo security on November 17. They
> assure me that the padlock icon on the browser means everything is
> just fine.
>