Tests run against Barclay's login and home page did not expose this flaw.
Note: This does not prove Barclays' wider security, only 2 pages checked, but does prove there is no need for banks to violate customer's security. Following this discovery I opened a Barclays account.
Metro Bank were warned they had no control of their use of Polyfill in 2023.
In 2024 Polyfill systems started to hack users on websites that adopted it.
Around the same time Metro Bank quietly removed if from their site, did they remove it in time?
(sonatype.com) Polyfill.io supply chain attack hits 100,000+ websites - all you need to know
When you use online banking, most banks give others access too.
For centuries, bank staff have access, but we expect security.
Provided perhaps by processes, monitoring and signed paper trails.
We expect, that if challenged, the bank can prove whether you asked for what staff did.
But not online.
That moment in Mr Bates vs The Post Office, when they discover Fujitsu had remote access as subpostmasters
That is the nature of problem here.
In this case, remote access means others can make the web page you are looking at, do what they like and without it showing on the page.
Your browser downloads these banks' web pages.
The banks' page will include bank code that runs in the web page... no surprise there.
But the surprise is, that often, bank code, then tries to download further code, directly from other companies websites, into the the banking page you are using.
Websites they cannot monitor, do not own and do not control and this further code can do whatever it likes in the online banking page.
Perhaps: read login details, fake login forms to grab passwords, fill out forms, click buttons, return data to those websites, send their choice of data to bank servers or take users to malicious websites.
By sharing access to login credentials or capabilities for faking login forms, the banks no longer can differentiate between what a customer or one of their chosen third party's does.
By allowing arbitrary code to load from the third parties, the banks can no longer differentiate actions in your web browser to those of a third party they gave access to.
Sub-postmasters used Post Office supplied Fujitsu Horizon tills.
Bank customers use online banking supplied websites.
Fujitsu had remote access to sub-postmasters' tills.
Various companies have remote access to your online banking pages.
Fujitsu's systems could execute code in tills due to a backdoor
available to their systems.
Various companies' servers can execute code in the online banking page,
on your web browser, due to a backdoor to their servers that the bank
gave them.
Code used allowed Fujitsu to falsify till records and the resultant
records appeared as the actions of the sub-postmasters.
Various companies' code can read your login credentials, banking details
and perform online banking actions, with any records appearing as you.
Invented cash discrepancies left in the tills were blamed on
sub-postmasters.
Any malicious banking activity will likely be blamed on banking
customers, data thefts may be used for fraud such as identity theft and
a ransomware attack may be easy to achieve.
Fujitsu were a highly respected and reputable tech company.
The various companies are a mix of web startup, social media, analytics,
major tech and foreign companies.
Sub-postmasters were financially ruined and some jailed.
What will happen to you if someone else can use your online banking as
you or control the online banking page you are looking at?
Nobody should be able to use your logged in account, this is likely a critical security breach.
If you hand your passwords to others, you will be held negligent for any damage that results.
But what if the system you use, just gives another your access?
What you may not know is that it is common for websites to give others remote access to act as you on their webpages, access to your user account.
Worse, in many cases access includes to credentials, thus risking continued access at any time.
If access is abused, any logs are likely to indicate the activity was by the legitimate user, much like the poor sub-postmasters.
The UK regulator responsible in this domain, the ICO, were themselves hacked by this vulnerability in 2018, resulting in visitors to the ICO website having their devices hijacked to mine cryptocurrency.
Had the attackers been more aggressive, they could have captured data from whistleblowers, industry data breach reports and the public's complaints (the ICO got lucky) - or at least we think they did, the ICO servers have no logs of what the attackers actually did.
Despite being hacked, the ICO have failed to enforce data protection law and stop this vulnerability.
In one famous instance a third party accidentally hoovered up users passwords, personal identifiers and more.
This incident is not alone and the capturing of sensitive data, including credit card details has happened by accident on other sites too.
When companies just install some of these integrations to their website it can result in significant data breaches regardless of remote access being attempted.
This is not exhaustive.
Updated: 8th February 2025
| Website | Provide remote access to |
|---|---|
| Bank of Ireland | Amazon |
| AppDynamics | |
| Cookie Law | |
| Meta | |
| Optimizely | |
| Bank Of Scotland | Dynatrace |
| LivePerson | |
| Lloyds | |
| Tealium | |
| Coutts | Adobe |
| Cookie Law | |
| LivePerson | |
| First Direct | AppDynamics |
| LivePerson | |
| Meta | |
| Microsoft | |
| Optimizely | |
| Tealium | |
| HSBC | Amazon |
| AppDynamics | |
| LivePerson | |
| Meta | |
| Tealium | |
| Lloyds | Dynatrace |
| LivePerson | |
| Tealium | |
| Metro Bank | |
| One Trust | |
| Optimizely | |
| Nationwide | Adobe |
| LivePerson | |
| One Trust | |
| Natwest | Adobe |
| Amazon | |
| Cookie Law | |
| LivePerson | |
| RBS | Adobe |
| Amazon | |
| Cookie Law | |
| LivePerson | |
| Natwest | |
| Sainsbury's | Callsign |
| Marin Software | |
| Meta | |
| Tealium | |
| The Trade Desk | |
| TikTok | |
| Santander | Adobe |
| One Trust | |
| splash-screen.net | |
| Tesco | Adobe |
| Cheq | |
| The co-operative bank | GlassBox |
| Tealium | |
| Trust Pilot | |
| TSB | Adobe |
| BioCatch | |
| Click Tale | |
| Dynatrace | |
| Microsoft | |
| Tealium | |
| Yext | |
| Virgin Money | Adobe |
| BioCatch | |
| Contentsquare | |
| Crownpeak | |
| Meta | |
| Microsoft | |
| Wingify | |
| eGain |
Access depends on a site loading third parties' web apps
Apps loaded directly not from the servers of the website you have trusted, but from a third parties' server that they have delegate control to.
Those apps have remote access within these pages and this has been validated by tests to check for capabilities.
The following capabilities were checked and if any failed it resulted in their appearance here.:
A significant failure here is the lack of use of the Subresource Integrity feature.
Whilst far from providing complete security for third parties it does significantly limit what they can do and offers a starting point for protecting against remote access.
This combined with ensuring the application doesn't evaluate any JavaScript itself (uses eval or similar functions) can lock down remote access risks. However, it will be a minefield as the site has to ensure it maintains any safeguards at all times when using third parties. The default security model in the web is to give third party JavaScript remote access.
This nature of remote access is often technically known as remote code execution.
The code offered by a server can be modified by whoever controls the server or whoever can control which server the domain points to.
Mark Richards: A software engineer and in my spare time a data protection researcher.
Feel free to ask me questions directly on LinkedIn, please don't use it to market anything towards me.
This website was created by the execution of the test suite and then report generator (gitlab.com) hosted here.