<<< Date Index >>>     <<< Thread Index >>>

Re: Banks (Wellsfargo.com) using CDNs to deliver Javascript: enables password theft by anyone compromising or controlling the CDN



Hello,

I have seen many web-sites include Javascript hosted by 3rd parties especially over the last year. It seems that 3rd parties use this fact in their marketing to convince others that this is good. The 3rd parties usually don't provide any security assurances or evaluations. One should consider the 3rd party as less secure then for example a highly federally regulated entity unless the 3rd party can produce documentation and certified audits to the contrary.

The majority of 3rd party hosted Javascript includes are related to "marketing", "security seals" or such and not part of the prime functionalities (why a customer is there). While placing such 3rd party hosted Javascript on sensitive web-pages is clearly a huge unneeded security risk one should further understand that including any 3rd party hosted Javascript on any page allows the 3rd party full unrestricted access to the web-page's full DOM. This allows the 3rd party to fully control all content, links, forms, images, cookies, frames, and such at will.


If an attacker changes the included 3rd party Javascript, it would be trivial for the attacker to leverage a phishing site to whatever means the attacker wished. If the attacker used AJAX the possibilities are almost endless. It's unfortunate that it is the customer in the end that is the one accepting the risks not the company itself. After all when your information and money is transfered to the attacker, they win, you lose (the information can never be not taken), and the company does not blink an eye. I would advise you to reevaluate your relationship with any organization that is careless with security, privacy, what in the end is your data, money, and life.


Regards,

--
Jason Muskat de VE3TSJ | GCFA, GCUX, CEI, CEH
____________________________
TechDude
e. Jason@xxxxxxxxxxx
m. 416 .414 .9934

http://TechDude.Ca/



On 19-Nov-07, at 10:39 PM, joel@xxxxxxxxxxx wrote:

In a recent chnage, wellsfargo.com started to include javascript delivered by akamai.net within sensitive pages, such as their login page.

Since any script loaded by the page has access to all the page data, that script could steal passwords very easily. Loading the script via a CDN reduces the banks security to the level of security provided by the CDN. I doubt that banking regulators would approve.

An attack on akamai or an insider there could access all wellsfargo.com bank accounts.

This is the equivalent of noticing that the bank's vault has another door and connects to the candy shop next door. Sure the candy shop is owned by a nice guy who locks his door at the end of the day, but I don't expect my bank to rely on him for security.

This was reported to wellsfargo security on November 17. They assure me that the padlock icon on the browser means everything is just fine.