The White House website devotes a significant chunk of its real estate marketing the need "to protect cyberspace for what we use it for today and will need in the future."
While there is little doubt that said needs are real, it is truly ironic that WhiteHouse.gov suffers from a painfully amateurish security vulnerability.
<p class="subtxt">Signed: Thursday, January 29, 2009 </p>
<div class="grdspan4" id="body_left">
<!-- mod-search332 -->
So who is "CrazyEgg"? A cursory review reveals that it appears to be a small company based in La Mirada, CA which markets graphical web analytic tools.
The www.cetrk.com name has a single IP address, but it reverse maps to node9.crazyegg.com. Other DNS names map to this address including mail.cetrik.com, garm.cetrk.com and cetrk.com.
Far be it from me to impugn the security practices of CrazyEgg, but the name doesn't exactly inspire confidence.
Why is including code from a less trusted, third-party website such a bad idea? As the Cyber Security Institute blog notes:
Worse still, if malicious users were to compromise cetrk.com, they could do more than track and hijack visitor sessions. They could also deliver malware to every visitor to WhiteHouse.gov.
In other words, the security of the White House website hinges on the goodwill and security practices of CrazyEgg.com.
It's an astonishingly poor practice and should be addressed immediately.