Re: Banks (Wellsfargo.com) using CDNs to deliver Javascript: enables password theft by anyone compromising or controlling the CDN

["Jason Muskat de VE3TSJ - GCFA, GCUX, CEI, CEH" <Jason () TechDude Ca>]

Hello,

I have seen many web-sites include Javascript hosted by 3rd parties  
especially over the last year. It seems that 3rd parties use this fact  
in their marketing to convince others that this is good. The 3rd  
parties usually don't provide any security assurances or evaluations.  
One should consider the 3rd party as less secure then for example a  
highly federally regulated entity unless the 3rd party can produce  
documentation and certified audits to the contrary.

The majority of 3rd party hosted Javascript includes are related to  
"marketing", "security seals" or such and not part of the prime  
functionalities (why a customer is there). While placing such 3rd  
party hosted Javascript on sensitive web-pages is clearly a huge  
unneeded security risk one should further understand that including  
any 3rd party hosted Javascript on any page allows the 3rd party full  
unrestricted access to the web-page's full DOM. This allows the 3rd  
party to fully control all content, links, forms, images, cookies,  
frames, and such at will.


If an attacker changes the included 3rd party Javascript, it would be  
trivial for the attacker to leverage a phishing site to whatever means  
the attacker wished. If the attacker used AJAX the possibilities are  
almost endless. It's unfortunate that it is the customer in the end  
that is the one accepting the risks not the company itself. After all  
when your information and money is transfered to the attacker, they  
win, you lose (the information can never be not taken), and the  
company does not blink an eye. I would advise you to reevaluate your  
relationship with any organization that is careless with security,  
privacy, what in the end is your data, money, and life.


Regards,

--
Jason Muskat de VE3TSJ | GCFA, GCUX, CEI, CEH
____________________________
TechDude
e. Jason () TechDude Ca
m. 416 .414 .9934

http://TechDude.Ca/



On 19-Nov-07, at 10:39 PM, joel () peshkin net wrote:

> In a recent chnage, wellsfargo.com started to include javascript  
> delivered by akamai.net within sensitive pages, such as their login  
> page.
>
> Since any script loaded by the page has access to all the page data,  
> that script could steal passwords very easily.  Loading the script  
> via a CDN reduces the banks security to the level of security  
> provided by the CDN.  I doubt that banking regulators would approve.
>
> An attack on akamai or an insider there could access all  
> wellsfargo.com bank accounts.
>
> This is the equivalent of noticing that the bank's vault has another  
> door and connects to the candy shop next door.   Sure the candy shop  
> is owned by a nice guy who locks his door at the end of the day, but  
> I don't expect my bank to rely on him for security.
>
> This was reported to wellsfargo security on November 17.  They  
> assure me that the padlock icon on the browser means everything is  
> just fine.