stackoom
  简体   繁体   中英

is it safe to fetch an image on plain http on a bank's homebanking website?

 原文  2016-09-27 23:58:54       security

Question

I ask here instead of https://security.stackexchange.com/ because I dont think this question is on a professional level.

I just saw something weird on my bank's website, they are fetching an image from another domain, using http instead of https , on firefox it raises a security "mixed content" alert, on chrome it just shows up an alert on the security tab.

This is the site: https://www.bancoprovincia.com.ar/Principal/BipPersonal 在此处输入图片说明

The unsafe content (an image) happens to be on the page just before the user logs in to his home banking, I was worried that some attacker could intercept the content and replace it with something that could be a security risk.

Any chance this is a security risk for the bank and it's clients?.

1 answers

solution1
 2 ACCPTED  2016-09-28 10:21:08

It's not a direct vulnerability, but still bad practice.

Some risks that come to mind:

  • An attacker having access to users' connections (man in the middle) could replace the image with a malicious one, exploiting potentially zero-day (as yet unknown) flaws in browser or operating system image processor libraries. This could lead to remote code execution on the client.

  • Replacing the image could also be used to facilitate phishing. The malicious image could tell the user to call a phone number because of some kind of a problem, etc.

  • It is an information leak. An attacker may receive information about users browsing to the bank website, also if the image is in a header included on all pages, they may receive information about what the user does. This is inherently the case for every external site that has its images linked even over https, but over http this also applies to any MitM attacker.

  • It is a potential availability problem. If the image on the external site times out (waits too long to download), the page will not load for some time in some browsers and an attacker could exploit that. However, this I think is not affected by the image being served on plain http, it would affect an externally linked https image as well I think.

  • It's also a very bad practice, because instead of strengthening good security practices in users like always checking browser indications of a secure website, it is telling them that it's ok if there are warnings. It is not.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Is it safe to briefly have a user's password in memory in plain text? Monitor website's http requests Handling Bank information on Website (Not Storing) PHP plain text encryption - keeping key safe Is it safe to use relative links in website? Safe Way To Register Users On Website Is prepending “http://” to a filename for PHP's fopen() safe enough to prevent reading local files? is $_SERVER['HTTP_REFERER'] safe? Is it safe to use a link to an image in my AWS S3 bucket on my webpage? How safe is it to send a plain text password using AJAX?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM