Barclays Bank Using Internet Archive as CDN for JavaScript Files?

It&#x27;s cute but probably just a consequence of a content editor at Barclays who has copy-pasted some old content.<p>A technical solution could be to add a strict CSP policy but in general the problem is broader and applies to a lot of banks.<p>The real issue is that banks (and it&#x27;s not specific to Barclays) are loading JavaScript code from third-parties.<p>The fact that it is InternetArchive (yet another Internet cache) is not more worrying than GoogleUserContent.com for example.<p>Otherwise, the &quot;asking money for redemption&#x2F;forgiveness&quot; part to Barclays is a bit borderline in my opinion.

&quot;We need to roll-back (JS file) to an earlier version.&quot;<p>&quot;Which one?&quot;<p>&quot;The one at (archive URL).&quot;<p>&quot;I&#x27;m on it.&quot;

Internet Archive as version control, I love it. There&#x27;s some good comments in there, one guy determined it had been like this for a month, yikes. Peer review anybody? Or maybe they only have one web dev and he&#x27;s a junior so the seniors dont inspect it as harshly.

It is extremely concerning, because it indicates how quality control is abandoned in search for every lower costs. Embarassing if one considers that most of these issues should be caught by automation before code review even happens.<p>Such a symptom indicates extremely sloppy development process, and low security culture. It would be interesting to use such fragmentary news to correct stock pricing, with respect to current management and processes.

This reminds me of the time I caught my mortgage lender using javascript loaded directly from a github repo on their mortgage application process. I reported it to them and they didn&#x27;t understand the problem.

Anyone from BarclaysUK internal (IT) audit team reading this? I wonder what your scope is when you run audits on your webs... Also.. that vulnerability scanner and pentester.. what kind of reports do they issue that they don&#x27;t mention this JS source??

The Internet Archive rewrites contents of scripts to inject the archive URLs. A better explanation than OP&#x27;s clickbait is that someone went to the archive to copy&#x2F;paste misplaced tracking code.

From a security standpoint it is not unsafe to reference resources on an untrusted third party so long as you use subresource integrity. [1]<p>[1] <a href="https:&#x2F;&#x2F;www.w3.org&#x2F;TR&#x2F;SRI&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.w3.org&#x2F;TR&#x2F;SRI&#x2F;</a>

Ooh, this reminds me that I saw a file being included straight from github.com on flyporter.com (Canadian regional airline)<p>Actually, extremely weirdly, they didn&#x27;t include the &quot;actual&quot; file (the raw version of it) but ... they included the github page in the &lt;script&gt; tag...??<p>Go through a checkout on flyporter.com (use dates &gt; Aug 31st as they&#x27;re resuming service then) and you&#x27;ll see<p>`&lt;script src=&quot;<a href="https:&#x2F;&#x2F;github.com&#x2F;furf&#x2F;jquery-ui-touch-punch&#x2F;blob&#x2F;master&#x2F;jquery.ui.touch-punch.js&quot;&gt;&lt;&#x2F;script&gt;`" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;furf&#x2F;jquery-ui-touch-punch&#x2F;blob&#x2F;master&#x2F;jq...</a><p>in the source code which makes no sense (try that URL in your browser!)<p>I contacted everyone I could find on LinkedIn who&#x27;s working as CTO&#x2F;CIO&#x2F;etc. there, AND emailed them but never heard back. (this was 9 months ago... the issue is still there)<p>Isn&#x27;t this how the British Airways checkout ended up being hacked?

A bit off topic but... my bank renewed its web app a couple of years ago and still uses jQuery v1.<p>I imagine they invested in auditing it and keep using the audited version...<p>Is this very common?

I used to work for a bank. I suspect that they found it near impossible to get $50 for a CDN approved.

For sites with a large % of the same people coming back on a daily or weekly basis, there&#x27;s probably not much to be gained by serving static files from a CDN.

putting an executable js file under &#x2F;content&#x2F;dam, is pretty much a crime, when you are working with adobe experience manager.

Post titles like these always completely overscope the action.<p>Something more accurate would read &quot;A team at Barclays Bank&quot;.

It&#x27;s really annoying how people like him blow these things out of proportion to shame and extort companies.. Seems like he didn&#x27;t even make a serious attempt to message them.

&gt; Barclays Bank Using Internet Archive as CDN for JavaScript Files<p>The original title is disingenuous, you&#x27;re assuming they did this on purpose when they very much likely made an error.