Comments on: Are Blog Tracking Services A Security Risk? Citibank Thinks So http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/ Startup and Technology News Sun, 07 Sep 2008 23:16:02 +0000 http://wordpress.org/?v=2.5.1 By: Kevin Burton http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1790261 Kevin Burton Sun, 25 Nov 2007 01:09:36 +0000 http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1790261 If you're running a 3rd party plugin that scrapes pages LOADED VIA SSL and then submits these pages to external sites you pretty much DESERVE to be 0wn0r3d :) Seriously.. It's only sane to code these type of applications to ignore URLs loaded via https. Kevin If you’re running a 3rd party plugin that scrapes pages LOADED VIA SSL and then submits these pages to external sites you pretty much DESERVE to be 0wn0r3d

:)

Seriously.. It’s only sane to code these type of applications to ignore URLs loaded via https.

Kevin

]]> By: Steve Poland http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1777400 Steve Poland Tue, 20 Nov 2007 19:30:14 +0000 http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1777400 Run this firefox plugin Live HTTP Headers, and watch what all your other Firefox plugins are getting access to (as you pull up webpages; they pull content/URLs back to their services). https://addons.mozilla.org/en-US/firefox/addon/3829 As for Cocomment, if they are pulling the content from every page back to their site -- they should be at the very least disabling this for any 'https' sites. And/or Firefox/IE should be disallowing this -- or notifying the browser user that a plugin is sending this information back to a plugin. Imagine how much spyware/toolbars are doing this in browsers for the tech non-savvy. Run this firefox plugin Live HTTP Headers, and watch what all your other Firefox plugins are getting access to (as you pull up webpages; they pull content/URLs back to their services). https://addons.mozilla.org/en-US/firefox/addon/3829

As for Cocomment, if they are pulling the content from every page back to their site — they should be at the very least disabling this for any ‘https’ sites. And/or Firefox/IE should be disallowing this — or notifying the browser user that a plugin is sending this information back to a plugin. Imagine how much spyware/toolbars are doing this in browsers for the tech non-savvy.

]]> By: Zoli Erdos http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1777069 Zoli Erdos Tue, 20 Nov 2007 17:21:55 +0000 http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1777069 Sorry, I wasn't clear re. "testing". My point is, anyone with access to www.citicards.com can try to open a customer service message box and will get the warning, no matter what browser they use. So that means Citi must have experienced enough problems or received enough complaints to warrant such a generic warning. And it's probably the same on any other sites, be it banks, brokerages, airlines..etc (?) Sorry, I wasn’t clear re. “testing”. My point is, anyone with access to http://www.citicards.com can try to open a customer service message box and will get the warning, no matter what browser they use. So that means Citi must have experienced enough problems or received enough complaints to warrant such a generic warning. And it’s probably the same on any other sites, be it banks, brokerages, airlines..etc (?)

]]> By: Zoli Erdos http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1777060 Zoli Erdos Tue, 20 Nov 2007 17:19:14 +0000 http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1777060 Duncan, I believe it's a generic warning from Citibank. It wasn't triggered by anything present in my browser - I tested this by going back with BlogRovr unloaded, and also with a vanilla IE7. That said, something prompted them to display this warning: perhaps it was the very well documented case by @7 John Ratcliffe-Lee above... or others. So let's forget BlogRovr, coComment ..etc for a while. I believe what we have here is a generic question: when we use any browser extensions that track the content of web-pages, how do we know we are safe? I'd love to get whoever put out the warning on Citibank's site engaged ... fat chances :-( But perhaps the coComment team will chip in here? Duncan,

I believe it’s a generic warning from Citibank. It wasn’t triggered by anything present in my browser - I tested this by going back with BlogRovr unloaded, and also with a vanilla IE7.

That said, something prompted them to display this warning: perhaps it was the very well documented case by @7 John Ratcliffe-Lee above… or others. So let’s forget BlogRovr, coComment ..etc for a while.

I believe what we have here is a generic question: when we use any browser extensions that track the content of web-pages, how do we know we are safe?

I’d love to get whoever put out the warning on Citibank’s site engaged … fat chances :-( But perhaps the coComment team will chip in here?

]]> By: Permeate http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1776699 Permeate Tue, 20 Nov 2007 14:47:36 +0000 http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1776699 Duncan, I hate when you use the word "whilst" I want to punch you. Duncan,

I hate when you use the word “whilst”

I want to punch you.

]]> By: LiveCrunch+Bontb http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1776482 LiveCrunch+Bontb Tue, 20 Nov 2007 13:40:51 +0000 http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1776482 I was wondering how come that nobody as of yet check into that? I mean it's pretty easy (kinda). I would check into what is going out to them, but I don't have time for it. But when you think, would Yahoo do something like that for legal issues? Don't forget MyBlogLog is a bit*** to Yahoo now :) I was wondering how come that nobody as of yet check into that? I mean it’s pretty easy (kinda).

I would check into what is going out to them, but I don’t have time for it.

But when you think, would Yahoo do something like that for legal issues?

Don’t forget MyBlogLog is a bit*** to Yahoo now :)

]]> By: Paul Wright http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1776020 Paul Wright Tue, 20 Nov 2007 10:59:28 +0000 http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1776020 Aaaand another thing: CoComment's use of injected javascript which is visible to the page itself presumably creates some interesting possibilities for malicious blog authors. We've <a href="http://www.oreillynet.com/pub/a/network/2005/11/01/avoid-common-greasemonkey-pitfalls.html" rel="nofollow">been here before with Greasemonkey</a>, right? I've not tried anything along these lines, so this is just speculation at the moment, but I'd expect the blog itself to be able to manipulate CoComment just as Cocomment can manipulate the blog. Aaaand another thing: CoComment’s use of injected javascript which is visible to the page itself presumably creates some interesting possibilities for malicious blog authors. We’ve been here before with Greasemonkey, right? I’ve not tried anything along these lines, so this is just speculation at the moment, but I’d expect the blog itself to be able to manipulate CoComment just as Cocomment can manipulate the blog.

]]> By: gregory http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1776006 gregory Tue, 20 Nov 2007 10:56:32 +0000 http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1776006 sooo many back doors in this web thing... sooo many back doors in this web thing…

]]> By: Duncan Riley http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1775895 Duncan Riley Tue, 20 Nov 2007 10:25:55 +0000 http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1775895 ok, so Marc says it's not BlogRovr and the MyBlogLog people say it's not them. Zoli only had these two installed...it has to be one of them now, doesn't it. Instead of defending each product (natural reaction) contact Citibank with a big WTF instead :-) ok, so Marc says it’s not BlogRovr and the MyBlogLog people say it’s not them. Zoli only had these two installed…it has to be one of them now, doesn’t it. Instead of defending each product (natural reaction) contact Citibank with a big WTF instead :-)

]]> By: Paul Wright http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1775892 Paul Wright Tue, 20 Nov 2007 10:24:55 +0000 http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1775892 @John Ratcliffe-Lee This isn't Citibank's security hole, it's CoComment's. If you install the Firefox plugin for Cocomment, Cocomment's javascript is fetched from their server and executed on every page your browser loads. The referrer from the fetch tells Cocomment the URL of every page you visit, and you're allowing them to run arbitrary Javascript on that page, so I hope you trust them completely with any and all information you view on web pages. Anyway, when the Javascript runs, it'll try to identify forms on the page, and if you haven't explicitly blacklisted the site in Cocomment, it will do its best to put any form submissions you make into your Cocomment feed. This is what Cocomment is for, after all. Why are Cocomment doing it this way? I suppose that fetching the script from their server each time means its always up to date, so if they change it to recognise a new type of blog, you'll see that working straight away rather than having to update the extension. They also need to know every page you visit because they're also providing this "review/comment on any web page" function (where they store the comments on their server and you can see them when you visit a page). I think other people have tried that idea and found no-one cares, so for my money Cocomment would be better off sticking to what they're good at. How could they make this better? Well, pages which aren't publicly visible without a login shouldn't even have Cocomment's script running on them, at all, ever. The extension should check this and not even fetch the script (it's the fetch which gives away the URL, remember). Secondly, there should be the option of storing the blogs you want Cocomment to work on client-side, so that running the script is explicitly opt-in for a particular blog. For now, I'm just using Cocomment's bookmarklet instead, as I can use that when I want to record a comment (and give Cocomment explicit permission to see the page) and be left alone the rest of the time. This is annoying as I sometimes forget to use the bookmark, so I might get around to doing a whitelist with Greasemonkey if I get a moment. @John Ratcliffe-Lee

This isn’t Citibank’s security hole, it’s CoComment’s. If you install the Firefox plugin for Cocomment, Cocomment’s javascript is fetched from their server and executed on every page your browser loads. The referrer from the fetch tells Cocomment the URL of every page you visit, and you’re allowing them to run arbitrary Javascript on that page, so I hope you trust them completely with any and all information you view on web pages.

Anyway, when the Javascript runs, it’ll try to identify forms on the page, and if you haven’t explicitly blacklisted the site in Cocomment, it will do its best to put any form submissions you make into your Cocomment feed. This is what Cocomment is for, after all.

Why are Cocomment doing it this way? I suppose that fetching the script from their server each time means its always up to date, so if they change it to recognise a new type of blog, you’ll see that working straight away rather than having to update the extension. They also need to know every page you visit because they’re also providing this “review/comment on any web page” function (where they store the comments on their server and you can see them when you visit a page). I think other people have tried that idea and found no-one cares, so for my money Cocomment would be better off sticking to what they’re good at.

How could they make this better? Well, pages which aren’t publicly visible without a login shouldn’t even have Cocomment’s script running on them, at all, ever. The extension should check this and not even fetch the script (it’s the fetch which gives away the URL, remember). Secondly, there should be the option of storing the blogs you want Cocomment to work on client-side, so that running the script is explicitly opt-in for a particular blog.

For now, I’m just using Cocomment’s bookmarklet instead, as I can use that when I want to record a comment (and give Cocomment explicit permission to see the page) and be left alone the rest of the time. This is annoying as I sometimes forget to use the bookmark, so I might get around to doing a whitelist with Greasemonkey if I get a moment.

]]> By: vepa http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1775537 vepa Tue, 20 Nov 2007 09:02:39 +0000 http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1775537 Thread is most people are not aware if any particular application or plugin can track their behavior. They install it because they are useful in some areas, like tracking visited blogs, and fully trust them, never questioning security. Thread is most people are not aware if any particular application or plugin can track their behavior. They install it because they are useful in some areas, like tracking visited blogs, and fully trust them, never questioning security.

]]> By: Marc A. Meyer http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1775337 Marc A. Meyer Tue, 20 Nov 2007 07:08:21 +0000 http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1775337 Hi, Marc Meyer of BlogRovR here. Zoli has published a follow-up on his site regarding BlogRovR NOT being the cause of his strange error messages. # Zoli Erdos | November 19th, 2007 at 11:35 pm "Citi does not test for the presence of browser extensions: I just went back and tested it after uninstalling BlogRovr, then again with a vanilla IE7 and saw the same message, so it’s a generic warning. "This was at citicards.com, trying to send a customer service message, but I suppose the same situations applies to any site that offers message boxes." BlogRovR isn't looking at or recording anything like this. Hi, Marc Meyer of BlogRovR here. Zoli has published a follow-up on his site regarding BlogRovR NOT being the cause of his strange error messages.

# Zoli Erdos | November 19th, 2007 at 11:35 pm

“Citi does not test for the presence of browser extensions: I just went back and tested it after uninstalling BlogRovr, then again with a vanilla IE7 and saw the same message, so it’s a generic warning.

“This was at citicards.com, trying to send a customer service message, but I suppose the same situations applies to any site that offers message boxes.”

BlogRovR isn’t looking at or recording anything like this.

]]> By: Zoli Erdos http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1775248 Zoli Erdos Tue, 20 Nov 2007 06:16:50 +0000 http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1775248 Yes, I also think the warning refers to browser plugins. I happen to have BlogRovr installed (testing), but I believe other services (c.comment? others?) also have plugins. Yes, I also think the warning refers to browser plugins. I happen to have BlogRovr installed (testing), but I believe other services (c.comment? others?) also have plugins.

]]> By: John Ratcliffe-Lee http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1775145 John Ratcliffe-Lee Tue, 20 Nov 2007 05:13:16 +0000 http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1775145 Yes. It could and has. Several months ago, when I still used coComment & Citibank I encountered this exact situation and tried, sort of in vain, to get Citibank to recognize it: http://jratlee.tumblr.com/post/189652 & http://jratlee.tumblr.com/post/266136 Some of the links in those posts and others you'll find online might point to "journal.ratcliffe-lee.com" as the domain. I'm in the middle of changing things around and if you point it to "jratlee.tumblr.com" instead, it should work. Tom Biro also has more here: http://www.openthedialogue.com/2007/03/insecure_messaging_at_citibank.html http://www.openthedialogue.com/2007/03/citibank_followup_2.html http://www.openthedialogue.com/2007/03/cocomment_responsds_to_citiban.html http://www.openthedialogue.com/2007/03/followup_on_cocomment_citibank.html Yes. It could and has. Several months ago, when I still used coComment & Citibank I encountered this exact situation and tried, sort of in vain, to get Citibank to recognize it:

http://jratlee.tumblr.com/post/189652

&

http://jratlee.tumblr.com/post/266136

Some of the links in those posts and others you’ll find online might point to “journal.ratcliffe-lee.com” as the domain. I’m in the middle of changing things around and if you point it to “jratlee.tumblr.com” instead, it should work.

Tom Biro also has more here:

http://www.openthedialogue.com.....ibank.html

http://www.openthedialogue.com.....wup_2.html

http://www.openthedialogue.com.....tiban.html

http://www.openthedialogue.com.....ibank.html

]]> By: www.CARversation.com http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1775133 www.CARversation.com Tue, 20 Nov 2007 05:08:19 +0000 http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1775133 that is insane, this needs to be fixed, i'm scared to even post on here that is insane, this needs to be fixed, i’m scared to even post on here

]]> By: Todd Sampson http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1775105 Todd Sampson Tue, 20 Nov 2007 04:50:03 +0000 http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1775105 Niall Kennedy -- who is sitting next to me at the Google OpenSocial event -- pointed out that I left out my title on the above post. I am the Co-founder and CTO of MyBlogLog. Cheers, Todd Niall Kennedy — who is sitting next to me at the Google OpenSocial event — pointed out that I left out my title on the above post. I am the Co-founder and CTO of MyBlogLog.

Cheers,
Todd

]]> By: Daniel Ha http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1775104 Daniel Ha Tue, 20 Nov 2007 04:50:01 +0000 http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1775104 The Citibank message would be referring to BlogRovr, not MyBlogLog. The Citibank message would be referring to BlogRovr, not MyBlogLog.

]]> By: Ian Kennedy http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1775099 Ian Kennedy Tue, 20 Nov 2007 04:47:59 +0000 http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1775099 In order for MyBlogLog to capture user behavior such as comment text, the site would also have to be running the MyBlogLog widget. I think the message that Zoli describes is directed towards users running a browser-based plug-in which wouldn't require any site-specific script to be running. Ian Product Manager, MyBlogLog In order for MyBlogLog to capture user behavior such as comment text, the site would also have to be running the MyBlogLog widget. I think the message that Zoli describes is directed towards users running a browser-based plug-in which wouldn’t require any site-specific script to be running.

Ian
Product Manager, MyBlogLog

]]> By: Todd Sampson http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1775083 Todd Sampson Tue, 20 Nov 2007 04:41:48 +0000 http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1775083 Strange note. The only thing that I can think is that Citibank is referring to browser plug-in comment tracking apps -- like Co-comment. As such, they can't be talking about MyBlogLog. The MyBlogLog app would need to be installed on the Citibank site for any usage tracking to occur. Cheers, Todd Strange note. The only thing that I can think is that Citibank is referring to browser plug-in comment tracking apps — like Co-comment. As such, they can’t be talking about MyBlogLog. The MyBlogLog app would need to be installed on the Citibank site for any usage tracking to occur.

Cheers,
Todd

]]> By: Chris Goffinet http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1775047 Chris Goffinet Tue, 20 Nov 2007 04:19:40 +0000 http://www.techcrunch.com/2007/11/19/are-blog-tracking-services-a-security-risk-citibank-thinks-so/#comment-1775047 This must be why Citibank is tanking, everyone's incompetent! This must be why Citibank is tanking, everyone’s incompetent!

]]>