Potential Cross-Site Scripting Attack at RBC Royal Bank..?

Ask for help about NoScript, no registration needed to post
weeniebob

Potential Cross-Site Scripting Attack at RBC Royal Bank..?

Post by weeniebob » Tue Feb 06, 2018 7:58 am

Simply navigating to the Royal Bank sign-in page causes the following XSS Warning:

Image

At first glance it appears that my login credentials will be tried at 50+ semi-related websites, in the hopes that I'm reusing the same username/password... (or is that not what's going on here..?) If that IS what's happening, I'm assuming my online banking could be easily compromised too..?

(either way, I don't think I'll be paying any bills tonight..!)
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0

User avatar
Giorgio Maone
Site Admin
Posts: 9029
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Potential Cross-Site Scripting Attack at RBC Royal Bank.

Post by Giorgio Maone » Mon Aug 27, 2018 9:57 pm

Hi, thank you for reporting,
I cannot reproduce because it seems to happen after the actual login (doens't happen with fake credentials, and the message points at a GET request: likely a post-login (stats tracking?) redirection, rather than the login submission itself, and a false positive.
Maybe I can take a look at the actual payload if you copy and paste it as text, after double checking that (as I believe) there are no credentials embedded into it.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0

User avatar
Just_Golem
Junior Member
Posts: 25
Joined: Tue Nov 28, 2017 11:04 am

Re: Potential Cross-Site Scripting Attack at RBC Royal Bank..?

Post by Just_Golem » Thu Feb 07, 2019 2:46 pm

Mister M,


I know this is an old post,... I also have the same question. I had this problem last summer and chose to Block permanently the XSS request. This week, I created a new VmWare KUbuntu install and needed to setup my bank again, and this XSS error still happens today.

Royal Bank login page, get XSS warning. I can reproduce XSS warning from many systems, and ISPs. (I have access to 2 ISPs and a bunch of computers). I copied the full link/XSS/code? provided by NoScript (similar to image above), (no sure how to offer it here without it creating a link to something bad).

My MAIN concern, (since I can chose to block that request without any noticeable side effect on Bank login/transactions), is the actual Names of the Sites that link is referencing. I see Yandex and Bank names from Russia, Sicily, France, then SignIn and Login words with references to Paypal and Facebook.

So my question is 3 folds
1- Can I post (and/or how-to) the actual Copied Text (code/LIVE link)
2- Would it help (you) see if this a solvable problem (false positive)?
3- "Could you help ME" see if the BUZZ words (links) are a sign of Danger/Hack with my bank?

PS my method to reproduce XSS warning:

Use Google to search for Royal Bank Canada, link should be RBCRoyalBank .com
From that page, click on Login button (top right)
This should send you to www1. royalbank. com/ cgi-bin/...etc..
NO need to fill in fields
Now I give Temporary NoScript permissions to all four of the domains one at the time
royalbank .com
ensighten .com
rbcroyalbank .com
and
rbc .com

When I grant RBC NoScript access, then XSS comes up.
Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0

User avatar
Just_Golem
Junior Member
Posts: 25
Joined: Tue Nov 28, 2017 11:04 am

Re: Potential Cross-Site Scripting Attack at RBC Royal Bank..?

Post by Just_Golem » Sun Feb 17, 2019 12:10 pm

hey group, is this forum still active??? Is Mr Maone still helping or working here???
Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0

barbaz
Senior Member
Posts: 9824
Joined: Sat Aug 03, 2013 5:45 pm

Re: Potential Cross-Site Scripting Attack at RBC Royal Bank..?

Post by barbaz » Sun Feb 17, 2019 12:42 pm

Just_Golem wrote:
Sun Feb 17, 2019 12:10 pm
hey group, is this forum still active??? Is Mr Maone still helping or working here???
This forum is still active. Giorgio is still around, but he's probably very busy.

As a start, does your bank site actually require ensighten to be allowed? Seems to be a tracker - https://better.fyi/trackers/ensighten.com/
Just_Golem wrote:
Thu Feb 07, 2019 2:46 pm
1- Can I post (and/or how-to) the actual Copied Text (code/LIVE link)
Try posting it in code tags (paste it, select what you pasted, then click the </> button above the textarea where you write your message).

If that still trips the spam filter, PM it to an active Mod (me, GµårÐïåñ, skriptimaahinen, therube, or Thrawn) and we'll try to post it for you. PMs to forum staff are not spam-filtered, and the spam filter is more lenient on us.
Just_Golem wrote:
Thu Feb 07, 2019 2:46 pm
2- Would it help (you) see if this a solvable problem (false positive)?
Yes
*Always* check the changelogs BEFORE updating that important software!
-

dbone0109

Re: Potential Cross-Site Scripting Attack at RBC Royal Bank..?

Post by dbone0109 » Tue Jan 26, 2021 7:42 pm

Thank you for this forum. I am posting my findings for end users who might not be network literate.

This past weekend I got the same NoScript window, as I just installed per Firefox recommendation NoScript extension.
Not seeing this forum first, I immediately got ahold of RBC online banking support regarding the NoScript window of all the financial websites displayed.

After two levels of general end-user support, and at my request, RBC transferred me to their IT support team.
I was concerned over the various around the world financial institutes displayed like Russia, etc when all I was doing was interacting with their online banking server to check my Visa account.

There was only arrogance from the IT RBC person not answering my question on "why the various financial signin sites listed in the Noscript window".
As he stated, they were on top of things and didn't need an end user's eyes or ears input on potential security issues.

I asked if there was an appropriate server that i could uplift the NoScript html file to for their post processing --- similar to high tech companies like Apple.
At least they have evidence of possible security breaches.
No was his answer.

The IT guy lectured me on my lack of Cross-Scripting knowledge and then abruptly hung-up. Not a pleasant support experience.
Their security support is very minimal, with no potential security facilities / reporting in place except by phone.
Their approach is bottom-up. Take up the issue at the branch level, and they will forward the report to the appropriate department.
RBC have plenty of online documents and forms on "how to lodge a complaint" but none specific to computer security issues: fraud yes but not technical.
There is no FAQes recommending cross-scripting protection, or examples of NoScript findings for their online banking clientel.

After this unsettling experience, i found your forum and posts comforting:
  • Your posts on potential credential leakage
    calmed my paranoia of potential RBC internal financial site data squirreling for future internal RBC personnel thieft?
From Firefox debug tool, the following was established:
  • 1) the Cross-scripting occurs WHEN THE "SIGNIN" button is clicked but before the user information is entered.
    2) There is a time lag on when the NoScript window pops up after the user credentials are inputted when the debug tool is not active.
    Per first post in this list.

Conclusion:
There is No Credential leakage as per previous posts.
I find it strange that this issue was reported in 2018, and still not corrected by RBC.
What RBC does with the "around the world financial websites" list is in their own internal software domain but having it publicly on display for possible other hackers to use is rather unsettling.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:78.0) Gecko/20100101 Firefox/78.0

Post Reply