Back to Home

External scripts with access to your credit cards and personal account

javascript · network security · payment security · do not shoot the pianist

External scripts with access to your credit cards and personal account

    image

    Tell me, how would you feel about the sellers giving the opportunity to collect the attributes of your cards, including number, surname and CVC, to some unauthorized person even at the time of payment, and also, without a password, allowed to see what you are doing in your personal account some service, to whom and how much you pay, for example. How many phones do you have and how do you use them. Those. you enter with a password, confirm ownership by SMS, logged in, and there people are crowding, who just went to see. Rave? However, many services do this. How would you feel if a surveillance camera were found in a room for opening bank cells? But, let’s not talk about banks again, let's talk about everything in sequence.

    I apologize in advance to those for whom the explanations seem too chewy, despite the audience, the last time many did not understand what was at stake.

    Most webmasters ignore the fact that pages with sensitive information should be static in content. How is a virus different from a regular program? By the fact that a program appears on the computer written by an incomprehensible person, it consumes resources and performs incomprehensibly what actions for the purposes of their authors (allow a free definition for the benefit of explanation). And here we take a page, for example, a Beeline personal account.

    image

    In addition to the regular Beeline address, we see that the page contains addresses that do not belong to it. Those. there is a code that Beeline employees wrote and there is a code that is loaded from some other servers written by other people; moreover, this code is not controlled by Beeline employees at all, since it is downloaded not through Beeline, but to the addresses that you see. Since it is not controlled, what actions it performs is also not clear.

    Here, please, a short video on what you can create with external scripts in your account



    If someone is interested to read the details here they are, it’s according to Beeline.

    We proceed to the next one that I promised in the title.

    Passing by the MTS payment site, I accidentally discovered banner cut protests. Fortunately, there are not many scripts. But popular google analytics is there. Right here on the page where you enter the card numbers and CVV.

    A small explanatory video:



    I will describe what is happening on the video if someone cannot watch it. Having tricked DNS, I redirected analytics scripts to my web server, where I successfully replaced them with mine. This is not a hack and there is no purpose to expose the vulnerability detected, although there is some likelihood of this too. With my scripts, I safely collected the random random credit card numbers entered by myself and sent them to the server. To demonstrate the capabilities of the script, I also changed the amount of payment.

    Sorry, I repeat, there is some company (the above, like many others, are not the name). They write a site in which they put secrecy and some kind of functionality where (I believe in it) no one should edit personal data and they will not leak out. In order to collect statistics on their users, they are lazy and use other people's scripts. Those. they give a command to users browsers on their site - go to another server and get a script for statistics there. What this script is currently only known to the owners of another server. What he does, the site owners can not know. Moreover, in some cases, the user's browsers can be told that the scripts were taken from somewhere else and then the number of those who can change them increases sharply. Owners of statistics servers and other inserts can collect everything they reach without any problems at all. I’m sure that the owners of the main sites do not even know where they want to reach.

    It is not necessary to believe in the honesty of the analytics company. However, people work in it. And people sometimes break the law. And although the company will then take out the bathhouse and shoot offending employees, will it personally make it easier for you? Can this compensate for the loss? I basically do not understand why give an extra opportunity to access such data? If someone really hopes for SMS, I recommend reading this article here and recall the recent history of how unscrupulous employees of one of the salons duplicated SIM cards of a mobile operator.

    My letter to MTS:
    Good afternoon, please specify why third-party scripts, including foreign ones, are used on the pages of the MTS website? This can also be a threat to the safety of information transmitted between your company and the user.

    And such an unsubscribed received
    Hello, Oleg Andreevich.
    The safety of information is protected by the legislation of the Russian Federation.
    Sincerely,
    **** ******
    MTS PJSC

    Both laughter and sin. I don’t want the employee to be made a scapegoat, which happened to me quite understandably, because the name starred. Then he shot and sent the video that you saw above, after which there was a message that it was sent to some security unit and I did not receive any further messages. I also collected chronology on MTS

    Well, and so that they would not suspect me of bias, Megafon has the same thing.



    Two scripts, metrics and analytics. We change to our own and enjoy receiving data and changing all kinds of texts.

    Just in case, I’ll explain how you can see if a pig was put in your personal account. For example, using the Chrome browser. Go to your personal account or what you have there contains personal data, press Shift-Ctrl-J, select the Network section, subsection JS and press F5. In the list that will be filled after that there should not be any "alien" addresses, only belonging to the resource on which you are located. It is highly desirable, of course, that at this moment all browser extensions are turned off. You will find something interesting - write in the comments which resource and what connects to your personal account. Do not panic right away, there are still some restrictions on scripts accessing content. But on webmaster sites that focus on security, external scripts are excluded in principle. I recommend that everyone adhere to this rule, who doesn’t want to set up people using the service. Statistics can be collected by our own means, and the most accurate one will be from web server logs, where there are no distortions from banner cuts. There are options for JS statistics, the scripts of which can be stored at home.

    I considered it right to first report the problem to the companies themselves before publication, so at the moment, something could have changed. But, in the light of what is happening, there are still a lot of resources with external statistics on the pages with your data.

    Read Next