Wednesday, November 3, 2010

Hey Chase, Take DoubleClick Out of Your Online Banking

Guess what I found today. The Chase online bank website uses iframes to inject tracking into the authenticated portion of online banking! What a failure for privacy and a big security risk. I'm at a loss as to what to say here.

Here's a little taste of their nastiness:

      <iframe src=";src=2299144;type=e-cus110;cat=e-cus876;u=123;ord=1;num=1?"
        width="1" height="1" frameborder="0"></iframe>  

Here are a few screenshots to demonstrate the issue. I discovered this little gift after installing the RequestPolicy addon.

Business Customer Site:

Normal Customer Site:

Here is the snippet from the HTTP response for /MyAccounts.aspx. As you see in the comments section, they new exactly what they were doing.  Copy of the code below the image:

<!-- Start of DoubleClick Spotlight Tag: Please do not remove-->

<script language="JavaScript">
document.domain = getDocumentDomain();

function getDocumentDomain()
    var d = document.domain;
    if(d.indexOf(".") > -1)
      var end = d.substring(d.lastIndexOf("."), d.length);
      d = d.substring(0, d.lastIndexOf("."));
      d = d.substring(d.lastIndexOf(".") + 1, d.length);
      d = d + end;
    return d;
    return null;

function openWamuSSOWindow(aUrl)
  var scLeft = window.screenLeft;
  var scTop = window.screenTop + 30;
    var, "WAMUSSOMortgage", "height=389,width=758,left=" + scLeft + ",top=" + scTop + ",screenX=0,screenY=0,location=yes,menubar=yes,resizable=yes,scrollbars=yes,status=yes,toolbar=yes");
    var agt=navigator.userAgent.toLowerCase();
    if(!(agt.indexOf("msie")!=-1 && (parseInt(agt.substr(agt.indexOf("msie")+5,1))==4))){
var _linkTrackingVersion = 2;

  <iframe src=";src=2299144;type=e-cus110;cat=e-cus876;u=123;ord=1;num=1?"
    width="1" height="1" frameborder="0"></iframe>   
<!-- End of DoubleClick Spotlight Tag: Please do not remove-->

-Michael Coates