https://theycanbeyou.com/ They Can Be You You use the web So do they You use your browser So do they You login to your online banking So can they Do they? Call to action Attempts to raise the alarm have so far failed * Please raise with journalists * Please raise this with public bodies: ICO, Bank of England, FCA and NCSC * Please raise with your MP * Please raise with your Bank A 10.0 security vulnerability in most UK banking websites Most banks have given third party companies remote access to your online bank account, (via a remote code execution vulnerability). Remote code execution is often a 10/10 graded security failing. When your browser downloads vulnerable banks' web pages, the banks' code tries to download further code from the third party servers directly. Servers they do not own or control and this further code can do whatever it likes in the online banking page. Perhaps: read login details, spoof login forms to grab passwords, fill out forms, click buttons, return data to their servers, send data to bank servers Not known is whether an abuse of this vulnerability could trigger a social response; such as a bank run. If anyone has research on this please send to the appropriate public bodies. A critical feature of information security, especially for financial activity, is non-repudiation - activity recorded is strong enough to hold up in court. By sharing access to login credentials or capabilities for spoofing login forms, the banks no longer can differentiate between what a customer or one of their chosen third party's does. By allowing arbitrary code to be executed by the third parties, the banks can no longer differentiate actions in your web browser to those of a third party. Remote Access: The [S:Post Office:S] Online Banking Scandal If your bank is impacted the following may help you understand the risk by comparing to events sub-postmaster suffered. [S:Sub-postmasters used Post Office supplied Fujitsu Horizon tills. :S] Bank customers use online banking supplied websites. [S:Fujitsu had remote access to sub-postmasters' tills.:S] Various companies have remote access to your online banking pages. [S:Fujitsu's systems could execute code in tills due to a backdoor available to their systems.:S] Various companies' servers can execute code in the online banking page, on your web browser, due to a backdoor to their servers that the bank gave them. [S:Code used allowed Fujitsu to falsify till records and the resultant records appeared as the actions of the sub-postmasters.:S] Various companies' code can read your login credentials, banking details and perform online banking actions, with any records appearing as you. [S:Invented cash discrepancies left in the tills were blamed on sub-postmasters.:S] Any malicious banking activity will likely be blamed on banking customers, data thefts may be used for fraud such as identity theft and a ransomware attack may be easy to achieve. [S:Fujitsu were a highly respected and reputable tech company.:S] The various companies are a mix of web startup, social media, analytics, major tech and foreign companies. [S:Sub-postmasters were financially ruined and some jailed.:S] What will happen to you if someone else can use your online banking as you or control the online banking page you are looking at? Some stats How many banking websites give these sites remote access as you? How many banking websites give these companies remote access as you? This design flaw is near everywhere Nobody should be able to use your logged in account, this is likely a critical security breach. If you hand your passwords to others, you will be held negligent for any damage that results. But what if the system you use, just gives another your access? What you may not know is that it is common for websites to give others remote access to act as you on their webpages, access to your user account. Worse, in many cases access includes to credentials, thus risking continued access at any time. If access is abused, any logs are likely to indicate the activity was by the legitimate user, much like the poor sub-postmasters. This has happened and can happen again The UK regulator responsible in this domain, the ICO, were themselves hacked by this vulnerability in 2018, resulting in visitors to the ICO website having their devices hijacked to mine cryptocurrency. Had the attackers been more aggressive, they could have captured data from whistleblowers, industry data breach reports and the public's complaints (the ICO got lucky) - or at least we think they did, the ICO servers have no logs of what the attackers actually did. Despite being hacked, the ICO have failed to enforce data protection law and stop this vulnerability. It doesn't require malice In one famous instance a third party accidentally hoovered up users passwords, personal identifiers and more. This incident is not alone and the capturing of sensitive data, including credit card details has happened by accident on other sites too. When companies just install some of these integrations to their website it can result in significant data breaches regardless of remote access being attempted. A breakdown by UK banks This is not exhaustive. Website Provide remote access to Amazon Bank of Ireland AppDynamics Cookie Law Google Dynatrace LivePerson Bank Of Scotland Lloyds Tealium Yext Citibank Cheq Google Adobe Coutts Cookie Law LivePerson AppDynamics Google HSBC First Direct LivePerson Meta Microsoft Optimizely Tealium AppDynamics Google LivePerson Meta HSBC Microsoft Optimizely Tealium TikTok Twitter Dynatrace Lloyds LivePerson Tealium Yext Google Metro Bank Microsoft One Trust Optimizely Adobe Nationwide LivePerson One Trust Adobe Natwest Cookie Law LivePerson Adobe RBS Cookie Law LivePerson Natwest Corvidae Google Marin Software Meta Microsoft Sainsbury's Snapchat Tealium The Trade Desk TikTok TransUnion Twitter Adobe Santander One Trust splash-screen.net AB Tasty Google Instana Starling Matamo Microsoft Nextdoor The Trade Desk Trust Pilot Cheq Google Medallia Tesco Meta Microsoft Oracle Trust Pilot Twitter GlassBox The co-operative bank Tealium Trust Pilot Adobe BioCatch Click Tale Dynatrace TSB Google Meta Microsoft Tealium Twitter Adobe BioCatch Contentsquare Crownpeak Virgin Money Google Infinity Tracking Meta Microsoft eGain How does this happen? Access depends on a site loading third parties' web apps Apps loaded directly not from the servers of the website you have trusted, but from a third parties' server that they have delegate control to. Those apps have remote access within these pages and this has been validated by tests to check for capabilities. The following capabilities were checked and if any failed it resulted in their appearance here.: * Can their scripts access login forms? * Can their scripts create login forms? Further technical details A significant failure here is the lack of use of the Subresource Integrity feature. Whilst far from providing complete security for third parties it does significantly limit what they can do and offers a starting point for protecting against remote access. This combined with ensuring the application doesn't evaluate any JavaScript itself (uses eval or similar functions) can lock down remote access risks. However, it will be a minefield as the site has to ensure it maintains any safeguards at all times when using third parties. The default security model in the web is to give third party JavaScript remote access. This nature of remote access is often technically known as remote code execution. The code offered by a server can be modified by whoever controls the server or whoever can control which server the domain points to.