The bizarre discovery was made by Twitter user @immunda, who discovered on Thursday that the British financial institute was calling JS from the Internet Archive.
Shortly after an abortive tussle with Barclays’ automated Twitter DM chatbot, he declared that he had got through to a human who had promised to fix the alarming howler.
The howler in question appeared, on The Register‘s inspection, to be pulling a file from this URL on the Internet Archive:
If web.archive.org went down, it would presumably break Barclays’ website as well. Worse, if someone managed to change the JS file at that URL, they could inject … well, whatever they liked.
JS is a favourite attack vector of, among other things, the Magecart financial creds-stealing gang.
Professor Alan Woodward of the University of Surrey told The Register: “It’s just the sort of thing that a Magecart attack would thrive on. At the end of the day, it is the organisation who integrates all of these assets, including those drawn in from other sites, to ensure that they have a secure site, and that can only ever be true if you know what your site comprises.”
The professor pointed us to a Twitter thread by infosec researcher Scott Helme, who went down the rabbit hole to try to figure out why Barclays was doing such an obviously stupid thing.
Also, there’s no SRI, so if the Internet Archive want to serve up a keylogger, cryptojacking JS, hostile redirect, rewrite the DOM or insert a credit card skimmer à la MageCart, it’s all fair game ? pic.twitter.com/3OPFR2nGFW
— Scott Helme (@Scott_Helme) July 2, 2020
We’ve asked Helme for his non-280-character thoughts on his findings.
The practice is not unheard of, though as some have pointed out, it is a very bad idea and the nonprofit is not set up to support it.
Jake Moore of infosec biz Eset mused that it may have been a test of some kind gone badly wrong, adding: “Although no excuse, it is yet another reminder why testing is a full and thorough process especially when dealing with a financial institution.”
We have asked Barclays for its explanation and it would only say: “We take our responsibility to protect our customers’ data extremely seriously and it is a top priority. We want to reassure our customers that their data was not at risk as a result of this error.”
We have also asked the Internet Society for its views. ®