Monday, September 21, 2009

Security flaw puts White House website "at the mercy of" CrazyEgg.com


The White House website devotes a significant chunk of its real estate marketing the need "to protect cyberspace for what we use it for today and will need in the future."

While there is little doubt that said needs are real, it is truly ironic that WhiteHouse.gov suffers from a painfully amateurish security vulnerability.

The key weakness? The White House website includes a tracking library from cetrk.com. The JavaScript library, created by "CrazyEgg.com", is typically used to produce graphical "heat maps" that show which pages visitors are clicking.

<p class="subtxt">Signed: Thursday, January 29, 2009  </p>
</div>
<script type="text/javascript"
src="http://cetrk.com/pages/scripts/0010/4306.js"> </script>

</div>
<div class="grdspan4" id="body_left">

<!-- mod-search332 -->

So who is "CrazyEgg"? A cursory review reveals that it appears to be a small company based in La Mirada, CA which markets graphical web analytic tools.

The www.cetrk.com name has a single IP address, but it reverse maps to node9.crazyegg.com. Other DNS names map to this address including mail.cetrik.com, garm.cetrk.com and cetrk.com.

Far be it from me to impugn the security practices of CrazyEgg, but the name doesn't exactly inspire confidence.

Why is including code from a less trusted, third-party website such a bad idea? As the Cyber Security Institute blog notes:

"By referring to javascript that’s hosted elsewhere, you’re basically at the mercy of that other organization... to not do evil with it,” says David Campbell, a security consultant and a leader of the Open Web Application Security Project (http://www.owasp.org/) (OWASP). "By... pointing to javascript from somewhere else, that vulnerability is there."

...Campbell and three other website security experts interviewed for this story say it would be trivial for anyone with control of the [remote JavaScript] file to hijack authentication cookies or other session variables used to validate users accessing [administration pages]."

Worse still, if malicious users were to compromise cetrk.com, they could do more than track and hijack visitor sessions. They could also deliver malware to every visitor to WhiteHouse.gov.

In other words, the security of the White House website hinges on the goodwill and security practices of CrazyEgg.com.

It's an astonishingly poor practice and should be addressed immediately.


No comments: