A technical solution could be to add a strict CSP policy but in general the problem is broader and applies to a lot of banks.
The fact that it is InternetArchive (yet another Internet cache) is not more worrying than GoogleUserContent.com for example.
Otherwise, the "asking money for redemption/forgiveness" part to Barclays is a bit borderline in my opinion.
All the processes and knowledge were in place to make sure all considerations were taken with our software with regards to security. But... all that good work and intention goes out the window when the marketing and analysis teams could pretty much, on a whim dump any old JS onto a production page via GTM. During my 18 months there, there were numerous issues (thankfully not security issues - at least that we know of) indroduced via this method inc a full outage of the customer onboarding journey.
It is really powerful and sometimes incredibly useful in some scenarios (e.g I once built a schema.org metadata system that scraped the pages on the fly for a site with a broken CMS). Simo Ahava does clever things with it.
But from what I can tell, it seems to be a way of avoiding communication between teams, or a political power grab inside bigger companies - a parallel CMS. And the silly bit is that it's normally not doing much more than could be achieved by copy and pasting a few lines of code into a template.
Of course it all loads only when the user does not have any adblocking or tracking protections enabled.
The important point is that it's a backdoor for marketing (and adtech) teams to get around developer/security requirements. At some point, someone on those teams gets frustrated that their one-line code requests (just load this script! add a gif banner here!) keep falling behind in the backlog. That happens in part because the product team often doesn't care about marketing, and sometimes because developers know that "just one more script!" paves the road to hell. At some point the third-party that's trying to get their business going through your business convinces the marketing team to add GTM, the marketing team says to the dev team "Hey we need GTM to implement THIS script". This time, because the other side has promised them $$$ in terms ROI, the marketing team pushes really hard for it, and eventually a product manager approves the request to get them off their back. The rest, as they say, is history (at retro time, multiple times down the road).
You can tell by the URL path (it's under /content/dam) that it's served by Adobe Experience Manager (Adobe's CMS, dam stands for digital asset manager, where you store static assets like images and js). The script itself is "target.js", which is Adobe Target - their A/B framework - which "supports custom code insertion" similar to a tag manager.
It's not GTM, but this is like loading the GTM script itself from archive.org.
That's what's great about content security policies: put a CSP on the page, and when people try to add scripts without going through proper processes it just won't run.
Unfortunately, we still have lots of 3rd party stuff in GTM, and technically any ad can run random js on our sites. Thats where most problems come from these days.
Editors still technically have the power to brick a given site through our old inhouse CMS which has no proper access control levels, hopefully not for long...
If you configure your ad network to run all ads cross-domain, then they are very limited. For example, in GPT (which I work on) you call "googletag.pubads().setForceSafeFrame(true)".
(Disclosure: speaking only for myself)
Fun story: I had a Barclaycard once. I chose to get bills/invoices via snail mail because I'm old fashioned. Didn't use the card for almost a year after signing up and then finally bought something online with it. Got an invoice next month and paid it. Then got another invoice the next month over 60ct for the invoice sent via snail mail. Fair enough, they stated that when I signed up. But then I got another bulk the following month because, you guessed it, the invoice for the invoice was sent via mail. I tried to be clever then and paid 1.20€, but that doesn't work since I still got a letter saying there's still enough money in my account covering the invoice. So after four or five months I just gave up and canceled my account.
The fact that the CSP is whitelisting archive.org makes this look like an attack to me, or at least a test run before a real attack. I don't believe this was a simple mistake.
Looks like their main homepage doesn't have a CSP policy at all https://cspvalidator.org/#url=https://www.barclays.com
I really hope they have a postmortem and actually implement a CSP for their site, pretty crazy not to, especially for a bank.
I just checked some of the local banks. Oh dear...
Hardly anybody really understands web security.
This is not about content. Content is "make a new page with that template and add a photo and the new text about XYZ product". Not a new functionality/code.
I wonder who signed this off prior to.release and what does their wiki/Jira mentions.
Edit: e-banking and other banks websites/online presence(s).
Edit2/rant: I have been the go-to audit/sec/compliance guy for more than a decade. It amazes me in this forum that there are very few discussions/POVs on the audit/security element. In most cases (like this one), an experienced auditor would have picked this up in 20mins. If only Barclays (in this case) bothered to escape the fixed-10 years old checklist/audit program these would never have happened.
It is partially baffling at least. We had to do a standalone website ad campaign for a bank (same level/recognition as barclays) once, some kind of rewards program where all you could do was browse what was possible to redeem your points for. No accounts, no cart, no integration whatsoever, it was basically a static site (with some user interactivity). We'd get scanned constantly and were always made aware of mistakes or issues, one of them being 3rd party resources.
On the other hand, I wasn't too impressed with their security scanning. Two issues had come up that made me dubious of what all good this actually did.
First was some kind of ssh vulnerability. We were using an older (but still supported) amazon linux ami. The ssh was actually patched but the version did not match what they wanted in the security tool's version. We had to get them to talk with AWS to ensure it was an actual patched version of ssh and the security scanning tool just wasnt accepting it as valid.
If you hadn't scanned, would you have fixed the CVE at all?
Scanning is useful to automate a "thing" but your audit is multifaceted and should probably require peer review (pull/merge requests).
In simple terms, scanning should _hopefully_ help a dev who wants to do the right thing, but it won't help a malicious dev, so you're gonna need something else.
Peer review, least privileged access, protective monitoring, etc.
I never applied as I like pushing the boundaries when it comes to using CMSs, but if they're calling it out from Day One it's also on the operator to not do it even if they could.
The Web is broken, and CORS/CSP headers will only be able to fix only some individual cases, of a bigger, currently unfixable design problem.
The tons of random JS APIs brought into the browser without a any real critical review are making the initial design of scripts on the web being inherently secure, to them not being so.
The state of things needs to be brought back to the point where arbitrary JS simply cannot mess up your browser by design, and when you can load resources from everywhere safely regardless of tricky settings of now 10+ CSP related headers.
Or alternatively, there needs to be a solution to completely shut down those APIs, any "advanced" functionality to load 3rd party resources, reinforced by cryptohashes, and signature checks to verify loaded resources.
You would still have an issue where there is simply no functionality to killswitch all those novel APIs of arguable safety, and tell the browser to shut down any script not explicitly listed as allowed on the site.
Isn't that what CSP headers are for?
I saw websites with a screen long CSP header to work around standard's inconsistencies like frame-src/child-src, and form redirects. I think it's only a matter of time when somebody will find a chink in that weak armour.
The lack of sane by-default policy makes you vulnerable the moment attacker finds a way to redirect a browser to a non-CSP protected page on your domain. Mitigations exist, but... many buts.
Reflection attacks, when attacker injects your own hashed scripts, and data exfiltrating css on pages where they shouldn't be are still possible in various scenarios unless you inline all scripts, and set CSP per every URL.
Other data exfiltration sources, and injection sinks keep being found few times a year.
CSP is a paint over rust.
It's not the TSB IT fiasco but it's still an error on their part.
Additionally, the aggregate bandwidth cost of delivering that JS file during its lifetime is probably less than $0.05. How many copies of this file would need to be concatenated to equal the size of David After Dentist?
No one levels up on the Internet — and especially Twitter — by being calm and reasonable.
This is entirely a strawman you are burning down to make light of the fact that far from a stupid mistake, this is recklessness enabled by the joke of an "web development" industry. This stupidity is common practice and certainly no one in this thread seems even slightly inclined to clean it up.
It means they don't have their security in order, they're a bunch of amateurs and their banking license should be revoked.
It's unlikely that a content editor would be able to do this, given the industry.
"The one at (archive URL)."
"I'm on it."
Such a symptom indicates extremely sloppy development process, and low security culture.
It would be interesting to use such fragmentary news to correct stock pricing, with respect to current management and processes.
I had a problem with Natwest online banking where the "random" character entry was the same each time (first, second and third characters) - which reduces the security incredibly.
IT fought hard and long on the risk of this whole 'setup'. They agreed when I reconstructed 5 PINs (I stopped at 5, point was made). CTO was cool about this, insisting "what are the odds of this happening?" COO & CEO had a totally different (more sensible) opinion.
Actually, extremely weirdly, they didn't include the "actual" file (the raw version of it) but ... they included the github page in the <script> tag...??
Go through a checkout on flyporter.com (use dates > Aug 31st as they're resuming service then) and you'll see
in the source code which makes no sense (try that URL in your browser!)
I contacted everyone I could find on LinkedIn who's working as CTO/CIO/etc. there, AND emailed them but never heard back. (this was 9 months ago... the issue is still there)
Isn't this how the British Airways checkout ended up being hacked?
I imagine they invested in auditing it and keep using the audited version...
Is this very common?
Something more accurate would read "A team at Barclays Bank".
Why should he spend his time (=money) to chase down a multi-billion dollar company to get them to fix a stupid error when he'd be lucky to get a thank you email for the effort?
- I'd determined that a large email provider was transiting a sizeable fraction of all 419 spam I was seeing (and knew that this was likely broadly representative). Looked up the product title with "project manager" and similar terms, called the corporate switchboard, and asked for them by name. Phone picked up on first ring, I explained the situation briefly, fifteen minutes later I received a call from the manager in charge of that area, who leptnin touch over the next three months as the issue was resolved.
- Another time worksite had issues with another email service provider with glacially slow processing of our notification emails. Performed an executive email carpet bomb after months of ineffective helpdesk attemps, with evidence of the issue. Was assigned a minder who helped resolve the issue.
Both were large companies (at the time), one I'm distinctly not inclined to consider favourably. Both responded exceeding expectations.
Then there is Google....
1. See https://www.nytimes.com/2017/05/05/your-money/the-best-consu...
Either scenario is equally bad when it's a multi-billion dollar financial institution. It's a bank not some Wordpress site for local business.
I'd assume that for banks all code that goes into production gets audited. More so it is easy to have the code run through some analyzers before submitting it to production where presence of external origin should be detected automatically and raise a flag.
If not it is gross negligence on the bank's side and deserves all the scathing and accusations it can get.
Code would be reviewed by a developer, not audited. The reviewer may or may notice the dependency to archive.org and may or may not care.
When I was in high school in the 90s I did work at a bank after school. My job was to sort and file debit card applications. No one audited my work either. Part of my job when reviewing every card on file was to verify the balance on the account that backed the debit card. If the account balance was zero or less, I filled out a form to cancel the card to be faxed out in a batch. Typically had 20-50 cancellations per day in 3 hours of work. No one reviewed them before sent, the files were just filed away to be forgotten. Mind, this was a small rural bank, so that might have played into it.
The point of tag managers is to let non-developers update production without going through a code deployment so the usual code review and oversight doesn't apply.
Also worth keeping in mind that this is the bank's marketing site. It's almost surely managed by a different team than the actual online banking site and probably has looser restrictions.
Yes and you know who's then get fired? The junior developer....
It's really annoying how people love to moan on Twitter without context.
>How about @BarclaysUK
for bandwidth usage and make a donation to @BlackGirlsCode
for good measure.
The original title is disingenuous, you're assuming they did this on purpose when they very much likely made an error.
PLUS, "using as a CDN" is what the site was literally doing, from a functional standpoint. It was pulling that script from Internet Archive, using their upload bandwidth.
I didn't word it well but that was my point. For the same reason, I wouldn't pick the "CDN" headline as it gives a possibly false narrative too.
> PLUS, "using as a CDN" is what the site was literally doing, from a functional standpoint. It was pulling that script from Internet Archive, using their upload bandwidth.
I'd be fine with "using their bandwidth". I don't see how the Internet Archive having a CDN or not is important to the story, and including this fact in the headline makes it sound important.
But, per your suggestion, if the title was something like "Barclays Bank using Internet Archive's bandwidth to load their JS assets" then it's essentially the same thing as saying they're using Internet Archive as a CDN.
A CDN is there to deliver asset files to websites, which is exactly what Internet Archive was doing for Barclay Bank in this case. The author used the term "CDN" to describe the situation or position Internet Archive was in relation to Barclay Bank.
Also using the term "CDN" would make it easier for people to understand what was happening just by reading the title.
In the end, they would still be using IA as a CDN, no matter the verbiage. We can make a reasonable guess as to why, considering it's a really bad idea for many reasons; someone made a mistake. Intentional or not, it's a mistake all the same.