They Can Be You

A 10.0 security vulnerability in most UK banking websites

Most banks have given third party companies remote access to your online bank account, (via a remote code execution vulnerability).

Remote code execution is often a 10/10 graded security failing.

When your browser downloads vulnerable banks' web pages, the banks' code tries to download further code from the third party servers directly.

Servers they do not own or control and this further code can do whatever it likes in the online banking page.

Perhaps: read login details, spoof login forms to grab passwords, fill out forms, click buttons, return data to their servers, send data to bank servers

Not known is whether an abuse of this vulnerability could trigger a social response; such as a bank run. If anyone has research on this please send to the appropriate public bodies.

A critical feature of information security, especially for financial activity, is non-repudiation - activity recorded is strong enough to hold up in court.

By sharing access to login credentials or capabilities for spoofing login forms, the banks no longer can differentiate between what a customer or one of their chosen third party's does.

By allowing arbitrary code to be executed by the third parties, the banks can no longer differentiate actions in your web browser to those of a third party.

Remote Access: The Post Office Online Banking Scandal

If your bank is impacted the following may help you understand the risk by comparing to events sub-postmaster suffered.

~~Sub-postmasters used Post Office supplied Fujitsu Horizon tills.~~
Bank customers use online banking supplied websites.

~~Fujitsu had remote access to sub-postmasters' tills.~~
Various companies have remote access to your online banking pages.

~~Fujitsu's systems could execute code in tills due to a backdoor available to their systems.~~
Various companies' servers can execute code in the online banking page, on your web browser, due to a backdoor to their servers that the bank gave them.

~~Code used allowed Fujitsu to falsify till records and the resultant records appeared as the actions of the sub-postmasters.~~
Various companies' code can read your login credentials, banking details and perform online banking actions, with any records appearing as you.

~~Invented cash discrepancies left in the tills were blamed on sub-postmasters.~~
Any malicious banking activity will likely be blamed on banking customers, data thefts may be used for fraud such as identity theft and a ransomware attack may be easy to achieve.

~~Fujitsu were a highly respected and reputable tech company.~~
The various companies are a mix of web startup, social media, analytics, major tech and foreign companies.

~~Sub-postmasters were financially ruined and some jailed.~~
What will happen to you if someone else can use your online banking as you or control the online banking page you are looking at?

This design flaw is near everywhere

Nobody should be able to use your logged in account, this is likely a critical security breach.

If you hand your passwords to others, you will be held negligent for any damage that results.

But what if the system you use, just gives another your access?

What you may not know is that it is common for websites to give others remote access to act as you on their webpages, access to your user account.

Worse, in many cases access includes to credentials, thus risking continued access at any time.

If access is abused, any logs are likely to indicate the activity was by the legitimate user, much like the poor sub-postmasters.

This has happened and can happen again

The UK regulator responsible in this domain, the ICO, were themselves hacked by this vulnerability in 2018, resulting in visitors to the ICO website having their devices hijacked to mine cryptocurrency.

Had the attackers been more aggressive, they could have captured data from whistleblowers, industry data breach reports and the public's complaints (the ICO got lucky) - or at least we think they did, the ICO servers have no logs of what the attackers actually did.

Despite being hacked, the ICO have failed to enforce data protection law and stop this vulnerability.

It doesn't require malice

In one famous instance a third party accidentally hoovered up users passwords, personal identifiers and more.

This incident is not alone and the capturing of sensitive data, including credit card details has happened by accident on other sites too.

When companies just install some of these integrations to their website it can result in significant data breaches regardless of remote access being attempted.

A breakdown by UK banks

This is not exhaustive.

Website	Provide remote access to
Bank of Ireland	Amazon
	AppDynamics
	Cookie Law
	Google
Bank Of Scotland	Dynatrace
	LivePerson
	Lloyds
	Tealium
	Yext
Citibank	Cheq
Citibank	Google
Coutts	Adobe
	Cookie Law
	LivePerson
First Direct	AppDynamics
	Google
	HSBC
	LivePerson
	Meta
	Microsoft
	Optimizely
	Tealium
HSBC	AppDynamics
	Google
	LivePerson
	Meta
	Microsoft
	Optimizely
	Tealium
	TikTok
	Twitter
Lloyds	Dynatrace
	LivePerson
	Tealium
	Yext
Metro Bank	Google
	Microsoft
	One Trust
	Optimizely
Nationwide	Adobe
	LivePerson
	One Trust
Natwest	Adobe
	Cookie Law
	LivePerson
RBS	Adobe
	Cookie Law
	LivePerson
	Natwest
Sainsbury's	Corvidae
	Google
	Marin Software
	Meta
	Microsoft
	Snapchat
	Tealium
	The Trade Desk
	TikTok
	TransUnion
	Twitter
Santander	Adobe
	One Trust
	splash-screen.net
Starling	AB Tasty
	Google
	Instana
	Matamo
	Microsoft
	Nextdoor
	The Trade Desk
	Trust Pilot
Tesco	Cheq
	Google
	Medallia
	Meta
	Microsoft
	Oracle
	Trust Pilot
	Twitter
The co-operative bank	GlassBox
	Tealium
	Trust Pilot
TSB	Adobe
	BioCatch
	Click Tale
	Dynatrace
	Google
	Meta
	Microsoft
	Tealium
	Twitter
Virgin Money	Adobe
	BioCatch
	Contentsquare
	Crownpeak
	Google
	Infinity Tracking
	Meta
	Microsoft
	eGain

How does this happen?

Access depends on a site loading third parties' web apps

Apps loaded directly not from the servers of the website you have trusted, but from a third parties' server that they have delegate control to.

Those apps have remote access within these pages and this has been validated by tests to check for capabilities.

The following capabilities were checked and if any failed it resulted in their appearance here.:

Can their scripts access login forms?
Can their scripts create login forms?

Further technical details

A significant failure here is the lack of use of the Subresource Integrity feature.

Whilst far from providing complete security for third parties it does significantly limit what they can do and offers a starting point for protecting against remote access.

This combined with ensuring the application doesn't evaluate any JavaScript itself (uses eval or similar functions) can lock down remote access risks. However, it will be a minefield as the site has to ensure it maintains any safeguards at all times when using third parties. The default security model in the web is to give third party JavaScript remote access.

This nature of remote access is often technically known as remote code execution.

The code offered by a server can be modified by whoever controls the server or whoever can control which server the domain points to.

Call to action