Wednesday, November 3, 2010

Hey Chase, Take DoubleClick Out of Your Online Banking

Guess what I found today. The Chase online bank website uses iframes to inject doubleclick.net tracking into the authenticated portion of online banking! What a failure for privacy and a big security risk. I'm at a loss as to what to say here.

Here's a little taste of their nastiness:

      <iframe src="http://fls.doubleclick.net/activityi;src=2299144;type=e-cus110;cat=e-cus876;u=123;ord=1;num=1?"
        width="1" height="1" frameborder="0"></iframe>  

Here are a few screenshots to demonstrate the issue. I discovered this little gift after installing the RequestPolicy addon.

Business Customer Site:


Normal Customer Site:

Here is the snippet from the HTTP response for /MyAccounts.aspx. As you see in the comments section, they new exactly what they were doing.  Copy of the code below the image:


<!-- Start of DoubleClick Spotlight Tag: Please do not remove-->

<script language="JavaScript">
document.domain = getDocumentDomain();

function getDocumentDomain()
{
  try
  {   
    var d = document.domain;
    if(d.indexOf(".") > -1)
    {
      var end = d.substring(d.lastIndexOf("."), d.length);
      d = d.substring(0, d.lastIndexOf("."));
      d = d.substring(d.lastIndexOf(".") + 1, d.length);
      d = d + end;
    }
    return d;
  }
  catch(e)
  {
    return null;
  }
}

function openWamuSSOWindow(aUrl)
{
  var scLeft = window.screenLeft;
  var scTop = window.screenTop + 30;
    var newWin=window.open(aUrl, "WAMUSSOMortgage", "height=389,width=758,left=" + scLeft + ",top=" + scTop + ",screenX=0,screenY=0,location=yes,menubar=yes,resizable=yes,scrollbars=yes,status=yes,toolbar=yes");
    var agt=navigator.userAgent.toLowerCase();
    if(!(agt.indexOf("msie")!=-1 && (parseInt(agt.substr(agt.indexOf("msie")+5,1))==4))){
      newWin.focus();
    }
}
var _linkTrackingVersion = 2;
</script>

<noscript>
  <iframe src="http://fls.doubleclick.net/activityi;src=2299144;type=e-cus110;cat=e-cus876;u=123;ord=1;num=1?"
    width="1" height="1" frameborder="0"></iframe>   
</noscript>
<!-- End of DoubleClick Spotlight Tag: Please do not remove-->

-Michael Coates

1 comment:

  1. I've also noticed that USAA does this too. :/

    ReplyDelete

Note: Only a member of this blog may post a comment.