An undetectable Online Bank Vulnerability?

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: An undetectable Online Bank Vulnerability?
From: Mark Peterson <apalamen@xxxxxxxxxxxxx>
Date: 21 Dec 2003 17:18:21 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


December 20, 2003

RE: Banking/eCommerce Basic Vulnerability - Undetectable

Due to the well-known documented ability of XSS/CSS capabilities and the 
proliferation of 3rd-party web-services, can anyone confirm the following:

If an Online Bank utilizes 3rd-party webservices (javascript/.JS) via either 
web-analytic measurements or a banner-ad server - Is there not indeed a 
theoretical backdoor to the client-side browser if this 3rd-party 
webservice/webserver was compromised with malicious code?

All one has to do is attack the server that is providing the commercial 
webservice and in theory, one would have complete control over the consumer's 
webbrowser (client-side browser), without detection from an Online Bank - or 
internal security intrusion detection from the Bank itself.

Is this not correct?

Behind closed doors, I have confirmation of this independently.  Although no 
one in public seems to be willing to formally acknowledge these basic 
vulnerabilities in Online Banking.

I have a list of Banks that currently utilize webservices from another 
3rd-party.

I have searched the entire Internet for anyone else who may have reported this 
obvious vulnerability to an online bank.  What I haven't found is a technical 
solution to it, nor dissemination on the basics of just how vulnerable online 
banking is to consumers.

Can anyone debate me publicly on this on grounds of the technical merits of 
this Online Banking Security issue? Without throwing accusations around?

I am a writer, and wanted to address the fact that there is a theoretical 
backdoor, that could escape detection from Intrusion Countermeasures - because 
this theory is made up of the following:

1) Find a COMMERCIAL WEBSITE with 3rd-party services running on it.
2) Attack the weakest part - the company providing webservices to this website.
3) Compromise the code on the server that is providing it to the COMMERCIAL 
WEBSITE.
4) This compromised code could in theory launch a new Popup() window or new 
browser session mimicking the entire content of the COMMERCIAL WEBSITE.
5) This technique bypasses the COMMERCIAL WEBSITE's SERVER and INTRUSION 
DETECTION capability, by launching straight into the users client-browser 
session (client-side).

In theory would this not be a Backdoor to Online Banking/Commerce?  It is also 
undetectable because of its client-side orientation, is this not also correct?

Obvious solutions: Remove 3rd-party webservices from sensitive websites.  
Inform customers to disable Javascript or Mobile Code.

Any comments would be appreciated.

Follow-Ups:
- Re: An undetectable Online Bank Vulnerability?
  - From: Seth Arnold

Prev by Date: Directory traversal bug in DCAM server <= 8.2.5
Next by Date: Re: Internet Explorer URL parsing vulnerability
Previous by thread: Directory traversal bug in DCAM server <= 8.2.5
Next by thread: Re: An undetectable Online Bank Vulnerability?
Index(es):
- Date
- Thread