ADBLK-24: Barclays Bank Login Page Hangs



Issue Information

Issue Type: Bug
 
Priority: Major
Status: Closed

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: Adblock Lists (ADBLK)
Resolution: Fixed (2021-05-26 17:36:14)

Created: 2020-12-05 08:54:25
Time Spent Working


Description
Barclays, unfortunately, have quite a privacy (and arguably, security) hostile login page, as it runs a tracker.

However, it's not currently possible to enter details and login because they've not coded that tracker defensively.

When you hit https://bank.barclays.co.uk/olb/authlogin/loginAppContainer.do#/identification the page will render, but if you try and click into a field to enter details (say, your last name), nothing will happen and keystrokes won't appear to register.

This is because in the background, javascript is repeatedly trying to send events to /ftb/img/clarisite/cls_rpt.gif:
https://bank.barclays.co.uk/ftb/img/clarisite/cls_rpt.gif?v=2&sn=2&p=dc60c4b5-c132-454e-becb-cc1ecd8203d7&sp=%2Fidentification&e=kibg7o9s~22~-~Nm_GET*u_L2F1dGhsb2dpbi9wYXJ0aWFscy9oZWFkZXIuaHRtbD92PTE2MDM3MTIwMDc2ODI%3D*uh_-6yzndd*d_33*s_5k~-~-~~kibg7oa5~22~-~Nm_GET*u_L2F1dGhsb2dpbi9wYXJ0aWFscy9mb290ZXIuaHRtbD92PTE2MDM3MTIwMDc2ODI%3D*uh_-z3wd3z*d_3f*s_5k~-~-~~kibg7p0e~22~-~Nm_GET*u_L2F1dGhsb2dpbi9wYXJ0aWFscy9pZGVudGlmaWNhdGlvbi5odG1sP3Y9MTYwMzcxMjAwNzY4Mg%3D%3D*uh_rtrxke*d_tk*s_5k~-~-~~kibg7pef~27~-~-~co.3_MTV3XzF3~-~~kibg7peh~29~-~N15w_1w~ft.0_0~-~~kibg7pf6~35~-~N1_kibg7nqj*2_0*4_kibg7nqm*5_kibg7nqv*7_kibg7nqv*8_kibg7nr5*10_kibg7nrg*13_kibg7nss*15_kibg7nt7*17_kibg7nvx*19_kibg7o71*20_kibg7o71*21_kibg7o75*nt_0*rc_0*bt_1jr~vn.2_U3RlcCAxOiBZb3VyIGRldGFpbHMgLSBMb2dpbiAtIG15QmFyY2xheXM%3D~-~~kibg7pfk~22~-~Nm_POST*u_L29sYi9hdXRobG9naW4vY29udGVudC9TUlBGb290ZXJDb250ZW50Lmpzb24%3D*uh_p5hej0*d_15l*s_5k~-~-~~kibg7pgk~22~-~Nm_GET*u_L2F1dGhsb2dpbi9wYXJ0aWFscy9lcnJvci1tZXNzYWdlcy1iYWNrZW5kLmh0bWw%2Fdj0xNjAzNzEyMDA3Njgy*uh_-nlyyfw*d_13c*s_5k~-~-~~kibg7po4~22~-~Nm_POST*u_L29sYi9hdXRobG9naW4vY29udGVudC9Mb2dpblN0ZXAxTm9TYXZlZE1lbWJlckRlY291cGxlZC5qc29u*uh_-xsx3eu*d_1au*s_5k~-~-~~kibg7poo~22~-~Nm_POST*u_L29sYi9hdXRobG9naW4vYnJvd3NlckRhdGEuanNvbg%3D%3D*uh_jufh1n*d_1bd*s_5k~-~-~~kibg7pov~34~-~NcGFnZU5hbWU%3D_b25sOmxvZ29uOkxvZ2luTG9naW46U3RlcDFZb3VyRGV0YWlsc0xvZ2luTXlCYXJjbGF5cw%3D%3D~-~-~~kibg7qi9~29~-~N15w_1w~ft.0_0~-&clsjsv=5.6.150B55&pid=dc60c4b5-c132-454e-becb-cc1ecd8203d7


However, this path is blocked in the EasyPrivacy List

The calls are triggered after calls to smetrics.barclays.co.uk like the one below
https://smetrics.barclays.co.uk/b/ss/barukprod/1/H.25.1/s05467886217368?AQB=1&ndh=1&t=5%2F11%2F2020%208%3A42%3A17%206%200&ns=barclaysuk&cdp=3&g=https%3A%2F%2Fbank.barclays.co.uk%2Folb%2Fauthlogin%2FloginAppContainer.do%23%2Fidentification&cc=GBP&c16=%2Folb%2Fauth%2FLoginLink.action&c17=D%3Dc16&pe=lnk_o&pev2=Onl%3AStep1WhoAreYouLogInMyBarclays%3Alogon%3ALogin%3AmembershipNumber&s=1920x1080&c=24&j=1.6&v=N&k=Y&bw=1920&bh=852&p=Chromium%20PDF%20Plugin%3BChromium%20PDF%20Viewer%3B&AQE=1


Blocking this domain in it's entirety resolves the issue.

Based on the path name, and filenames, the underlying "solution" is probably Clarisite Analytics (well, Glassbox now - https://glassboxdigital.com/ ) version 5.6.15.


Toggle State Changes

Activity


If you leave the page dormant in a tab for a while, and then go back, the JS gives up and you can enter details.

There's an event that fires, trying to report back to cls_rpt.gif whenever you bring any form element into focus.

Have added a domain block for smetrics.barclays.co.uk along with an explicit path block for bank.barclays.co.uk/ftb/img/clarisite so that if this comes up again, it'll be easier to refer back to this issue.

With those blocked, the login page functions without issue.

https://github.com/bentasker/adblocklists/commit/58c07008c4134f94c466a82843bba90737b8be2d

Repo: adblocklists
Commit: 58c07008c4134f94c466a82843bba90737b8be2d
Author: B Tasker <github@<Domain Hidden>>

Date: Sat Dec 05 09:03:48 2020 +0000
Commit Message: ADBLK-24 Block Barclays analytics/metrics domains - it causes login page hangs



Modified (-)(+)
-------
config/manualblocks/00_general.txt
config/manualpages.txt




Webhook User-Agent

GitHub-Hookshot/285b8db


View Commit

A few months after this, MISC-45 was raised - it's possible that blocking clarisite didn't resolve things here, it was just that on the retry, their blocking behaviour had stopped.

Either way, Barclay's login page seems to be actively security and privacy hostile, there's a lot of reliance on third parties.
btasker changed status from 'Open' to 'Resolved'
btasker added 'Fixed' to resolution
btasker changed status from 'Resolved' to 'Closed'