2018-02-11

ICO web site hacked?

The web site of the Information Commissioner's Office, the UK regulator for Data Protection and related matters, appears to be running a crypto mining script when you access it. www.ico.org.uk

But please, check for yourself, visit the site. On safari you right light to inspect element, click resources and scripts, and there you find it.


I can't claim credit for spotting this. @Scott_Helme on twitter drew my attention to it. He has managed to find a lot of sites running it.

But I can confirm I have checked, and it is true - but check for yourself.

P.S. The hack is in a third party site (browsealoud.​com) from which the ICO include scripts but do so without integrity checks. If anyone should be "careful" and have proper "technical and organisation measures" in place, it is the ICO.

P.P.S 15:30 seems browsealoud.com have done something, using an invalid certificate (odd) but has the effect of stopping the issue.

A little more for my less technical friends.

When you visit a web site, a lot of things get loaded in to your web browser in the background. These include images, and stylesheets and scripts which do useful things. Sometimes these come from other web sites.

In this case the ICO have included a script from another site, which does something useful - a tools to allow text readers for the web site for blind people. It is included in a lot of web pages.

However, someone has hacked that third party web site, so now when you go to the ICO web site you get more than you bargained for.

The ICO could have protected you from this - there is a way for them to tell your browser what to expect, and so it would not load the hacked version. The ICO should really know about this and have done it, being, well, the ICO. They did not.

So what is this bad thing that you get? Well it is not "infecting your computer", thankfully, but it is using it to "mine cryptocurrency". While the web page is open your computer will be slower as it is doing loads of work behind the scenes.

Explaining cryptocurrencies would take a while, but they are like money except you can "create" it using computers. It normally takes a lot of computing power (and hence money for electricity) to create useful amounts. However, by harnessing the power of millions of computers that are simply accessing web sites someone can make money using your computer. That is why they do this.

Is the A&A site OK? Well, yes, we use very few external scripts at all, and we don't use the one that has been hacked. However, we had not yet added these integrity checks yet - we are actually working on a new web site, and so some "maintenance" things have been left behind a bit with "That'll be sorted with the new web site". However, this example shows how important that is, and it will be done shortly anyway. We really feel the ICO should have known better though.

17 comments:

  1. Running third party scripts instead of just copying them.. and running them without even a basic md5 check to see if they've changed.

    You'd think the ICO would have the money to hire competent web developers..

    ReplyDelete
    Replies
    1. You can add an integrity check where the browser loads the third party script to ensure it is not changed. ICO of all people should be up on this.

      Delete
    2. Bunch of nhs trusts and council websites too. And the financial ombudsman..

      But then we live in a world where people suggest using curl | bash without irony. So maybe I shouldn't be surprised.

      Delete
  2. Subresource Integrity checks only work in Firefox, Chrome and newer Safari. Users with Internet Explorer or Edge don't get working SRI and so aren't protected.

    One of my friends had a long complaint with ICO about a subscription magazine which spams people and doesn't even accept "Please remove me from your list" contact, ICO's response amounts to basically a mixture of sending the magazine emails saying "please don't do that, it's naughty" and plaintively asserting that they can't really enforce rules against any but the worst offenders because their budget isn't sufficient. Not great.

    ReplyDelete
    Replies
    1. Surely they have a legally binding obligation to enforce the rules, whether they have claim to have the money or not? Surely this applies to the police too? If a police officer is informed of a criminal offence then surely he is in breach of his/her statutory duties if he/she fails to act on that report and to investigate it fully? Surely claiming to have no money is no excuse whatsoever?

      Delete
    2. AFAICT, there is no such binding obligation - the police are at liberty to ignore crimes that they have personally witnessed, let alone ones that they are merely informed about.

      For example, if you're driving at 71 MPH on the motorway, you're speeding, and committing a criminal offence; however, the police are in the clear if you overtake them, but they ignore you (e.g. because they're doing 70 MPH, you're doing 75 MPH, but there's someone overtaking you at closer to 110 MPH).

      Delete
  3. We had similar on one of our sites. A script our analytics agency had added pulled from a domain that has lapsed and been squatted on.
    First we knew was a bug saying "when you click X, nothing happens."
    They hadn’t noticed the pop unders.

    ReplyDelete
  4. More info https://scotthelme.co.uk/protect-site-from-cyrptojacking-csp-sri/

    ReplyDelete
  5. The ICO is special and will never get into any trouble over this. As a government organization we do not check our website for naughty little pieces of java script because internal policies don't require us to. *poker face*

    ReplyDelete
  6. The irony is that yes, this could have been prevented with SRI, but as that would have stopped the script loading it would have also prevented the assistive technology it was there to support from working.

    This could easily have lead to legal challenge from disability rights groups, so I guess, it's a question of which is more illegal, mining Monero on visitors computers or failing to provide accessibility features on a government website... I'm not actually sure which side of that would win out.

    ReplyDelete
    Replies
    1. If stopping the script working could lead to a legal challenge from disability groups, so could taking it offline until Tuesday which is apparently what they have done: https://www.texthelp.com/en-gb/company/corporate-blog/february-2018/data-security-investigation-underway-at-texthelp/

      Delete
    2. I now have someone ranting at me that your comment (jelv) has a malware link on it. If they read the blog and that page and actually checked they would see the ba.js link is in that page but that the ba.js link is simply a comment now and contains no malware, which is what the page is actually reporting that they have done! Crazy!

      Delete
    3. Just to be clear, as I have had to explain this many times now. The link above in jelv's comment is (a) not a LINK, it is text in the comment, you would have to actively copy it in to your location bar to access the page, and (b) the page it links to NEVER had malware. It does link to a page, the very topic of this blog, which, until 15:30 on Sunday did have malware, but did not at the time of the comment or when the page mentioned was created. This is clear from my blog post if you read it, and the linked page which is actually reporting that they removed the malware! So I don't need people to keep telling me that Avast mis-reports it as having malware, honest.

      Delete
    4. Taking it offline does not impact only one segment of society however, it impacts everyone so is not discrimination!

      That's probably why they did not just disable "browsealoud".

      Delete
    5. Err, browsealoud took their bit off line first, then ICO took their whole site off line, and is now back without the browsealoud link in it.

      Delete
  7. My local UK council uses the "BrowsAaoud" plugin, at least according to their accessibility page and backed up via https://publicwww.com/websites/browsealoud.com%2Fplus%2Fscripts%2Fba.js/ .

    This morning I sent them a question on Twitter and tonight they sent back a DM "we have concluded our investigation and our website providers have confirmed that our website has not been affected by the incident that occurred over the weekend".

    Is it wrong for me to assume they're lying, or could they really have succeeded where the ico.gov.uk failed?

    ReplyDelete
    Replies
    1. Well look at their site and see if the links to the ba.js file have the integrity checks. Even if they do, I understand now all browsers handle them, so anyone using that resource would have been vulnerable if using the wrong browser. Maybe ask them how they managed it?

      Delete