An undetectable Online Bank Vulnerability?
December 20, 2003
RE: Banking/eCommerce Basic Vulnerability - Undetectable
Due to the well-known documented ability of XSS/CSS capabilities and the
proliferation of 3rd-party web-services, can anyone confirm the following:
If an Online Bank utilizes 3rd-party webservices (javascript/.JS) via either
web-analytic measurements or a banner-ad server - Is there not indeed a
theoretical backdoor to the client-side browser if this 3rd-party
webservice/webserver was compromised with malicious code?
All one has to do is attack the server that is providing the commercial
webservice and in theory, one would have complete control over the consumer's
webbrowser (client-side browser), without detection from an Online Bank - or
internal security intrusion detection from the Bank itself.
Is this not correct?
Behind closed doors, I have confirmation of this independently. Although no
one in public seems to be willing to formally acknowledge these basic
vulnerabilities in Online Banking.
I have a list of Banks that currently utilize webservices from another
3rd-party.
I have searched the entire Internet for anyone else who may have reported this
obvious vulnerability to an online bank. What I haven't found is a technical
solution to it, nor dissemination on the basics of just how vulnerable online
banking is to consumers.
Can anyone debate me publicly on this on grounds of the technical merits of
this Online Banking Security issue? Without throwing accusations around?
I am a writer, and wanted to address the fact that there is a theoretical
backdoor, that could escape detection from Intrusion Countermeasures - because
this theory is made up of the following:
1) Find a COMMERCIAL WEBSITE with 3rd-party services running on it.
2) Attack the weakest part - the company providing webservices to this website.
3) Compromise the code on the server that is providing it to the COMMERCIAL
WEBSITE.
4) This compromised code could in theory launch a new Popup() window or new
browser session mimicking the entire content of the COMMERCIAL WEBSITE.
5) This technique bypasses the COMMERCIAL WEBSITE's SERVER and INTRUSION
DETECTION capability, by launching straight into the users client-browser
session (client-side).
In theory would this not be a Backdoor to Online Banking/Commerce? It is also
undetectable because of its client-side orientation, is this not also correct?
Obvious solutions: Remove 3rd-party webservices from sensitive websites.
Inform customers to disable Javascript or Mobile Code.
Any comments would be appreciated.