Monday, September 21, 2009

Security flaw puts White House website "at the mercy of"

The White House website devotes a significant chunk of its real estate marketing the need "to protect cyberspace for what we use it for today and will need in the future."

While there is little doubt that said needs are real, it is truly ironic that suffers from a painfully amateurish security vulnerability.

The key weakness? The White House website includes a tracking library from The JavaScript library, created by "", is typically used to produce graphical "heat maps" that show which pages visitors are clicking.

<p class="subtxt">Signed: Thursday, January 29, 2009  </p>
<script type="text/javascript"
src=""> </script>

<div class="grdspan4" id="body_left">

<!-- mod-search332 -->

So who is "CrazyEgg"? A cursory review reveals that it appears to be a small company based in La Mirada, CA which markets graphical web analytic tools.

The name has a single IP address, but it reverse maps to Other DNS names map to this address including, and

Far be it from me to impugn the security practices of CrazyEgg, but the name doesn't exactly inspire confidence.

Why is including code from a less trusted, third-party website such a bad idea? As the Cyber Security Institute blog notes:

"By referring to javascript that’s hosted elsewhere, you’re basically at the mercy of that other organization... to not do evil with it,” says David Campbell, a security consultant and a leader of the Open Web Application Security Project ( (OWASP). "By... pointing to javascript from somewhere else, that vulnerability is there."

...Campbell and three other website security experts interviewed for this story say it would be trivial for anyone with control of the [remote JavaScript] file to hijack authentication cookies or other session variables used to validate users accessing [administration pages]."

Worse still, if malicious users were to compromise, they could do more than track and hijack visitor sessions. They could also deliver malware to every visitor to

In other words, the security of the White House website hinges on the goodwill and security practices of

It's an astonishingly poor practice and should be addressed immediately.

No comments: