Dear FinTech companies, be careful with external scripts

2 minute read Published:

Just last week I installed a Chrome extension called Privacy Badger. It is supposed to protect you from third party scripts included on websites that might track you. It does that by checking content loaded from other third-party domains. The side effect of this extension was that you suddenly begin to notice which sites include external scripts. I’d say I am not surprised by them on social media sites and other sites where I mostly consume the content. They are used for videos hosted on on YouTube, Facebook Like buttons, Disqus comment sections and so on.

What horrified me was presence of third party scripts on e-banking services and other financial sites where I interact with my account and the interaction can have consequences. These scripts are a huge security risk! Any third-party JavaScript loaded on a website has the same execution privileges as the actual code of the website. This means that if only one of those third party scripts gets compromised, all users of your financial service are at risk. And it gets even worse. Among included third party scripts I didn’t find just well established addresses such as Bootstrap’s CDN. There were also links serving content directly from SVN repositories.

Dear companies, please serve all scripts from servers under your control. Saving some kilobytes of data traffic is not worth the risk of exposing your users to malicious code!