November 19, 2007

Are Blog Tracking Services A Security Risk? Citibank Thinks So

Duncan Riley

20 comments »

Blog tracking and commenting services such as the now Yahoo owned MyBlogLog continue to have fairly widespread usage, but using these services could pose a security risk, at least according to Citibank.

Zoli Erdos uses both MyBlogLog and BlogRovr and got a rather interesting message whilst trying to log into Citibank:

Could something you type into a secured site on Citibank end up on one of these services? If it’s a browser plugin that sends data back to a central service it could in theory track and record anything…although that presumes that these services would also be being used for evil as well, not just for occasional spamming like some services are.

Sphere It

This entry was posted on Monday, November 19th, 2007 at 7:59 pm and is filed under Company & Product Profiles. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Trackbacks/Pings (Trackback URL)

Comments

RSS feed for comments on this post.

Chris Goffinet

November 19th, 2007 at 8:19 pm

This must be why Citibank is tanking, everyone’s incompetent!
Todd Sampson

November 19th, 2007 at 8:41 pm

Strange note. The only thing that I can think is that Citibank is referring to browser plug-in comment tracking apps — like Co-comment. As such, they can’t be talking about MyBlogLog. The MyBlogLog app would need to be installed on the Citibank site for any usage tracking to occur.

Cheers,
Todd
Ian Kennedy

November 19th, 2007 at 8:47 pm

In order for MyBlogLog to capture user behavior such as comment text, the site would also have to be running the MyBlogLog widget. I think the message that Zoli describes is directed towards users running a browser-based plug-in which wouldn’t require any site-specific script to be running.

Ian
Product Manager, MyBlogLog
Daniel Ha

November 19th, 2007 at 8:50 pm

The Citibank message would be referring to BlogRovr, not MyBlogLog.
Todd Sampson

November 19th, 2007 at 8:50 pm

Niall Kennedy — who is sitting next to me at the Google OpenSocial event — pointed out that I left out my title on the above post. I am the Co-founder and CTO of MyBlogLog.

Cheers,
Todd
www.CARversation.com

November 19th, 2007 at 9:08 pm

that is insane, this needs to be fixed, i’m scared to even post on here
John Ratcliffe-Lee

November 19th, 2007 at 9:13 pm

Yes. It could and has. Several months ago, when I still used coComment & Citibank I encountered this exact situation and tried, sort of in vain, to get Citibank to recognize it:

http://jratlee.tumblr.com/post/189652

&

http://jratlee.tumblr.com/post/266136

Some of the links in those posts and others you’ll find online might point to “journal.ratcliffe-lee.com” as the domain. I’m in the middle of changing things around and if you point it to “jratlee.tumblr.com” instead, it should work.

Tom Biro also has more here:

http://www.openthedialogue.com.....ibank.html

http://www.openthedialogue.com.....wup_2.html

http://www.openthedialogue.com.....tiban.html

http://www.openthedialogue.com.....ibank.html
Zoli Erdos

November 19th, 2007 at 10:16 pm

Yes, I also think the warning refers to browser plugins. I happen to have BlogRovr installed (testing), but I believe other services (c.comment? others?) also have plugins.
Marc A. Meyer

November 19th, 2007 at 11:08 pm

Hi, Marc Meyer of BlogRovR here. Zoli has published a follow-up on his site regarding BlogRovR NOT being the cause of his strange error messages.

# Zoli Erdos | November 19th, 2007 at 11:35 pm

“Citi does not test for the presence of browser extensions: I just went back and tested it after uninstalling BlogRovr, then again with a vanilla IE7 and saw the same message, so it’s a generic warning.

“This was at citicards.com, trying to send a customer service message, but I suppose the same situations applies to any site that offers message boxes.”

BlogRovR isn’t looking at or recording anything like this.
vepa

November 20th, 2007 at 1:02 am

Thread is most people are not aware if any particular application or plugin can track their behavior. They install it because they are useful in some areas, like tracking visited blogs, and fully trust them, never questioning security.
Paul Wright

November 20th, 2007 at 2:24 am

@John Ratcliffe-Lee

This isn’t Citibank’s security hole, it’s CoComment’s. If you install the Firefox plugin for Cocomment, Cocomment’s javascript is fetched from their server and executed on every page your browser loads. The referrer from the fetch tells Cocomment the URL of every page you visit, and you’re allowing them to run arbitrary Javascript on that page, so I hope you trust them completely with any and all information you view on web pages.

Anyway, when the Javascript runs, it’ll try to identify forms on the page, and if you haven’t explicitly blacklisted the site in Cocomment, it will do its best to put any form submissions you make into your Cocomment feed. This is what Cocomment is for, after all.

Why are Cocomment doing it this way? I suppose that fetching the script from their server each time means its always up to date, so if they change it to recognise a new type of blog, you’ll see that working straight away rather than having to update the extension. They also need to know every page you visit because they’re also providing this “review/comment on any web page” function (where they store the comments on their server and you can see them when you visit a page). I think other people have tried that idea and found no-one cares, so for my money Cocomment would be better off sticking to what they’re good at.

How could they make this better? Well, pages which aren’t publicly visible without a login shouldn’t even have Cocomment’s script running on them, at all, ever. The extension should check this and not even fetch the script (it’s the fetch which gives away the URL, remember). Secondly, there should be the option of storing the blogs you want Cocomment to work on client-side, so that running the script is explicitly opt-in for a particular blog.

For now, I’m just using Cocomment’s bookmarklet instead, as I can use that when I want to record a comment (and give Cocomment explicit permission to see the page) and be left alone the rest of the time. This is annoying as I sometimes forget to use the bookmark, so I might get around to doing a whitelist with Greasemonkey if I get a moment.
Duncan Riley

November 20th, 2007 at 2:25 am

ok, so Marc says it’s not BlogRovr and the MyBlogLog people say it’s not them. Zoli only had these two installed…it has to be one of them now, doesn’t it. Instead of defending each product (natural reaction) contact Citibank with a big WTF instead
gregory

November 20th, 2007 at 2:56 am

sooo many back doors in this web thing…
Paul Wright

November 20th, 2007 at 2:59 am

Aaaand another thing: CoComment’s use of injected javascript which is visible to the page itself presumably creates some interesting possibilities for malicious blog authors. We’ve been here before with Greasemonkey, right? I’ve not tried anything along these lines, so this is just speculation at the moment, but I’d expect the blog itself to be able to manipulate CoComment just as Cocomment can manipulate the blog.
LiveCrunch+Bontb

November 20th, 2007 at 5:40 am

I was wondering how come that nobody as of yet check into that? I mean it’s pretty easy (kinda).

I would check into what is going out to them, but I don’t have time for it.

But when you think, would Yahoo do something like that for legal issues?

Don’t forget MyBlogLog is a bit*** to Yahoo now
Permeate

November 20th, 2007 at 6:47 am

Duncan,

I hate when you use the word “whilst”

I want to punch you.
Zoli Erdos

November 20th, 2007 at 9:19 am

Duncan,

I believe it’s a generic warning from Citibank. It wasn’t triggered by anything present in my browser - I tested this by going back with BlogRovr unloaded, and also with a vanilla IE7.

That said, something prompted them to display this warning: perhaps it was the very well documented case by @7 John Ratcliffe-Lee above… or others. So let’s forget BlogRovr, coComment ..etc for a while.

I believe what we have here is a generic question: when we use any browser extensions that track the content of web-pages, how do we know we are safe?

I’d love to get whoever put out the warning on Citibank’s site engaged … fat chances But perhaps the coComment team will chip in here?
Zoli Erdos

November 20th, 2007 at 9:21 am

Sorry, I wasn’t clear re. “testing”. My point is, anyone with access to http://www.citicards.com can try to open a customer service message box and will get the warning, no matter what browser they use. So that means Citi must have experienced enough problems or received enough complaints to warrant such a generic warning. And it’s probably the same on any other sites, be it banks, brokerages, airlines..etc (?)
Steve Poland

November 20th, 2007 at 11:30 am

Run this firefox plugin Live HTTP Headers, and watch what all your other Firefox plugins are getting access to (as you pull up webpages; they pull content/URLs back to their services). https://addons.mozilla.org/en-US/firefox/addon/3829

As for Cocomment, if they are pulling the content from every page back to their site — they should be at the very least disabling this for any ‘https’ sites. And/or Firefox/IE should be disallowing this — or notifying the browser user that a plugin is sending this information back to a plugin. Imagine how much spyware/toolbars are doing this in browsers for the tech non-savvy.
Kevin Burton

November 24th, 2007 at 5:09 pm

If you’re running a 3rd party plugin that scrapes pages LOADED VIA SSL and then submits these pages to external sites you pretty much DESERVE to be 0wn0r3d

Seriously.. It’s only sane to code these type of applications to ignore URLs loaded via https.

Kevin