
Barclays Bank Using Internet Archive as CDN for JavaScript Files? - ziodave
https://twitter.com/immunda/status/1278783894683336704
======
rvnx
It's cute but probably just a consequence of a content editor at Barclays who
has copy-pasted some old content.

A technical solution could be to add a strict CSP policy but in general the
problem is broader and applies to a lot of banks.

The real issue is that banks (and it's not specific to Barclays) are loading
JavaScript code from third-parties.

The fact that it is InternetArchive (yet another Internet cache) is not more
worrying than GoogleUserContent.com for example.

Otherwise, the "asking money for redemption/forgiveness" part to Barclays is a
bit borderline in my opinion.

~~~
curryhoward
Content editors should not be able to add arbitrary code to a bank's website
unless it undergoes review from someone who understands web security. If there
is some kind of content editing tool, it should only allow content (not
arbitrary scripts) to be edited.

~~~
BattyMilk
Until about a year ago I was working as a FE developer for a major
intenrnational bank.

All the processes and knowledge were in place to make sure all considerations
were taken with our software with regards to security. But... all that good
work and intention goes out the window when the marketing and analysis teams
could pretty much, on a whim dump any old JS onto a production page via GTM.
During my 18 months there, there were numerous issues (thankfully not security
issues - at least that we know of) indroduced via this method inc a full
outage of the customer onboarding journey.

~~~
tweetle_beetle
I see GTM being used (abused?) by marketing teams regularly, but I'm really
surprised that a bank with its own development team would allow it.

It is really powerful and sometimes incredibly useful in some scenarios (e.g I
once built a schema.org metadata system that scraped the pages on the fly for
a site with a broken CMS). Simo Ahava does clever things with it.

But from what I can tell, it seems to be a way of avoiding communication
between teams, or a political power grab inside bigger companies - a parallel
CMS. And the silly bit is that it's normally not doing much more than could be
achieved by copy and pasting a few lines of code into a template.

~~~
kevin_thibedeau
It's a backdoor way for Google to add more tracking.

~~~
frandroid
It's a Google backdoor for _your team_ to add more tracking etc.

The important point is that it's a backdoor for marketing (and adtech) teams
to get around developer/security requirements. At some point, someone on those
teams gets frustrated that their one-line code requests (just load this
script! add a gif banner here!) keep falling behind in the backlog. That
happens in part because the product team often doesn't care about marketing,
and sometimes because developers know that "just one more script!" paves the
road to hell. At some point the third-party that's trying to get their
business going through your business convinces the marketing team to add GTM,
the marketing team says to the dev team "Hey we need GTM to implement THIS
script". This time, because the other side has promised them $$$ in terms ROI,
the marketing team pushes really hard for it, and eventually a product manager
approves the request to get them off their back. The rest, as they say, is
history (at retro time, multiple times down the road).

------
billpg
"We need to roll-back (JS file) to an earlier version."

"Which one?"

"The one at (archive URL)."

"I'm on it."

~~~
Zenbit_UX
I'd bet this is exactly what happened, maybe a junior dev or intern took the
ticket.

~~~
ddoice
No code review in the front-end of a bank?

------
giancarlostoro
Internet Archive as version control, I love it. There's some good comments in
there, one guy determined it had been like this for a month, yikes. Peer
review anybody? Or maybe they only have one web dev and he's a junior so the
seniors dont inspect it as harshly.

------
miga
It is extremely concerning, because it indicates how quality control is
abandoned in search for every lower costs. Embarassing if one considers that
most of these issues should be caught by automation before code review even
happens.

Such a symptom indicates extremely sloppy development process, and low
security culture. It would be interesting to use such fragmentary news to
correct stock pricing, with respect to current management and processes.

------
jmvoodoo
This reminds me of the time I caught my mortgage lender using javascript
loaded directly from a github repo on their mortgage application process. I
reported it to them and they didn't understand the problem.

~~~
vmception
that's pretty funny but what is the problem with that? direct link,
possibility of updating, same possibility of 404 as anything else, CDN and
caching included

~~~
khalilravanna
If it’s straight up linking a non-versioned file (e.g. live file) it implies
the owner of that Github repo has direct access to update and run code in
client’s browsers. Could start shooting off API requests dumping the contents
of cookies/localStorage, set up keylogging, etc. IMO seems like a pretty big
security hole.

~~~
jmvoodoo
Exactly. Or in this case exfiltrate my entire loan application, which would be
a gold mine for identity theft.

------
HenryBemis
Anyone from BarclaysUK internal (IT) audit team reading this? I wonder what
your scope is when you run audits on your webs... Also.. that vulnerability
scanner and pentester.. what kind of reports do they issue that they don't
mention this JS source??

~~~
bArray
"Move Fast and Break Things" is not the motto you hope to see your bank
adopting...

I had a problem with Natwest online banking where the "random" character entry
was the same each time (first, second and third characters) - which reduces
the security incredibly.

~~~
HenryBemis
In a French bank 10 years ago, their e-banking system was recording the actual
values you typed in, their order in your 6 digit PIN, and your username. The
logs were dropped on a share drive so that backup can pick them up. The shared
drive was read only to "Everyone".

IT fought hard and long on the risk of this whole 'setup'. They agreed when I
reconstructed 5 PINs (I stopped at 5, point was made). CTO was cool about
this, insisting "what are the odds of this happening?" COO & CEO had a totally
different (more sensible) opinion.

------
robflaherty
The Internet Archive rewrites contents of scripts to inject the archive URLs.
A better explanation than OP's clickbait is that someone went to the archive
to copy/paste misplaced tracking code.

~~~
LordDragonfang
Everyone assumes that is the case yes. That doesn't make the title factually
incorrect, though.

~~~
robflaherty
Based on the replies to the tweet very few have assumed this is the case and
no, “using as a CDN” and “accidentally linked to” are not the same thing.

------
chaz6
From a security standpoint it is not unsafe to reference resources on an
untrusted third party so long as you use subresource integrity. [1]

[1] [https://www.w3.org/TR/SRI/](https://www.w3.org/TR/SRI/)

------
gregsadetsky
Ooh, this reminds me that I saw a file being included straight from github.com
on flyporter.com (Canadian regional airline)

Actually, extremely weirdly, they didn't include the "actual" file (the raw
version of it) but ... they included the github page in the <script> tag...??

Go through a checkout on flyporter.com (use dates > Aug 31st as they're
resuming service then) and you'll see

`<script src="[https://github.com/furf/jquery-ui-touch-
punch/blob/master/jq...](https://github.com/furf/jquery-ui-touch-
punch/blob/master/jquery.ui.touch-punch.js"></script>`)

in the source code which makes no sense (try that URL in your browser!)

I contacted everyone I could find on LinkedIn who's working as CTO/CIO/etc.
there, AND emailed them but never heard back. (this was 9 months ago... the
issue is still there)

Isn't this how the British Airways checkout ended up being hacked?

------
pier25
A bit off topic but... my bank renewed its web app a couple of years ago and
still uses jQuery v1.

I imagine they invested in auditing it and keep using the audited version...

Is this very common?

------
MattGaiser
I used to work for a bank. I suspect that they found it near impossible to get
$50 for a CDN approved.

------
jgalt212
For sites with a large % of the same people coming back on a daily or weekly
basis, there's probably not much to be gained by serving static files from a
CDN.

------
awadheshv
putting an executable js file under /content/dam, is pretty much a crime, when
you are working with adobe experience manager.

------
pldr1234
Post titles like these always completely overscope the action.

Something more accurate would read "A team at Barclays Bank".

~~~
geofft
While that's true in terms of root cause analysis, the browser doesn't see it
that way - all content on barclays.co.uk is equally trusted by the browser, so
every other team is impacted by this.

------
eska
It's really annoying how people like him blow these things out of proportion
to shame and extort companies.. Seems like he didn't even make a serious
attempt to message them.

~~~
immunda
Twitter author here. I didn't make any assertions about the impact of this
issue. A respondent to the Tweet said they found this earlier and had already
disclosed it to Barclays. I also tried to contact them for another issue and
spent over 6 hours on hold before giving up. It's really annoying how people
love to moan on HN without context.

~~~
ghusbands
You did say "Not to mention the scumbaggery of leeching bandwidth from a not-
for-profit", which is attributing poor motive and character. Even without
that, your general tone is scathing and accusing, over something that is
likely a simple mistake by a fairly fresh or unskilled developer.

~~~
FpUser
> _" that is likely a simple mistake by a fairly fresh or unskilled
> developer."_

I'd assume that for banks all code that goes into production gets audited.
More so it is easy to have the code run through some analyzers before
submitting it to production where presence of external origin should be
detected automatically and raise a flag.

If not it is gross negligence on the bank's side and deserves all the scathing
and accusations it can get.

~~~
TheChaplain
No. Being courteous and professional will still get the point across.

------
gpmcadam
> Barclays Bank Using Internet Archive as CDN for JavaScript Files

The original title is disingenuous, you're assuming they did this on purpose
when they very much likely made an error.

~~~
OJFord
It doesn't say 'decided to use' or 'deliberately using', it is 'using', that
doesn't connote malintent, that's just the state of things.

~~~
seanwilson
"using as a CDN" implies a deliberate choice to me. Why not "because it was a
convenient way for their developer to include it"? You don't know why. A lot
of web developers don't know what CDNs are for too.

~~~
erinaceousjones
"because it was a convenient way for their developer to include it" implies it
was a deliberate choice also, when there's no way in hell someone didn't do
this as a mistake lol.

PLUS, "using as a CDN" is what the site was literally doing, from a functional
standpoint. It was pulling that script from Internet Archive, using their
upload bandwidth.

~~~
seanwilson
> "because it was a convenient way for their developer to include it" implies
> it was a deliberate choice also

I didn't word it well but that was my point. For the same reason, I wouldn't
pick the "CDN" headline as it gives a possibly false narrative too.

> PLUS, "using as a CDN" is what the site was literally doing, from a
> functional standpoint. It was pulling that script from Internet Archive,
> using their upload bandwidth.

I'd be fine with "using their bandwidth". I don't see how the Internet Archive
having a CDN or not is important to the story, and including this fact in the
headline makes it sound important.

~~~
byteshock
I don't think the author was implying that Barlcay Bank was intentionally
using Internet Archive by using the term "CDN".

But, per your suggestion, if the title was something like "Barclays Bank using
Internet Archive's bandwidth to load their JS assets" then it's essentially
the same thing as saying they're using Internet Archive as a CDN.

A CDN is there to deliver asset files to websites, which is exactly what
Internet Archive was doing for Barclay Bank in this case. The author used the
term "CDN" to describe the situation or position Internet Archive was in
relation to Barclay Bank.

Also using the term "CDN" would make it easier for people to understand what
was happening just by reading the title.

