Comments on: Blog Tracking Services Compromise Online Bank Security?

By: NexGen Technology Blog » Are Blog Tracking Services A Security Risk? Citibank Thinks So

Tue, 20 Nov 2007 17:50:16 +0000

[...] Erdos uses both MyBlogLog and BlogRovr and got a rather interesting message whilst trying to log into [...]

By: Zoli Erdos

Zoli Erdos — Tue, 20 Nov 2007 06:35:24 +0000

Citi does not test for the presence of browser extensions: I just went back and tested it after uninstalling BlogRovr, then again with a vanilla IE7 and saw the same message, so it’s a generic warning.

This was at citicards.com, trying to send a customer service message, but I suppose the same situations applies to any site that offers message boxes.

By: Zoli Erdos

Zoli Erdos — Tue, 20 Nov 2007 06:23:08 +0000

Yes, I also thought they were referring to trackers that come with a browser plug-in. In this case I was using FireFox and there is a BlogRovr plugin, which I was testing… and, like Niall points out, coComment has a plugin, too, and who knows whatever else. Not very reassuring… I’m turning BlogRovr off.

By: Todd Sampson

Todd Sampson — Tue, 20 Nov 2007 04:44:35 +0000

I am pretty sure that Niall is right. It is the only thing that makes sense. MyBlogLog and other web-based services would need to be installed on the Citibank site itself for any usage tracking to occur.

Cheers,
Todd

By: Niall Kennedy

Niall Kennedy — Tue, 20 Nov 2007 04:40:49 +0000

I am guessing Citibank is warning you about the Firefox extensions and other browser modifications that may scan the page looking for actionable objects. A service such as coComment might sniff for comment boxes such as this one looking for an opportunity to send that comment field to its remote web service for storage and indexing.

Were you running Firefox? The Citibank page could look for certain JS variables present in the DOM and send you a warning. Gmail currently issues tips/warnings for its members with Firebug turned on for example.

By: TechCrunch: Are Blog Tracking Services A Security Risk? Citibank Thinks So

TechCrunch: Are Blog Tracking Services A Security Risk? Citibank Thinks So — Tue, 20 Nov 2007 03:59:51 +0000

[...] Erdos uses both MyBlogLog and BlogRovr and got a rather interesting message whilst trying to log into [...]

By: Voyagerfan5761

Voyagerfan5761 — Mon, 19 Nov 2007 06:00:26 +0000

No service I know of could steal data from a banking site, but I’m no more security expert than you, so…

By: Paul

Paul — Mon, 19 Nov 2007 03:27:19 +0000

It could well be a threat vector. Essentially it turns a one way service into a two way