Boursorama Banque leaks your login data

EDIT August 11, 2020: Boursorama no longer leaks your login data to AT Internet and Smart AdServer.

Boursorama CNAME Fix

Data sent to AT Internet now goes through the domain c0012.brsimg.com, while data sent to Smart AdServer goes through several domains, including ww16.smartadserver.com. As a result, AT Internet and Smart AdServer no longer have access to Boursorama authentication cookies (boursorama.com domain).

The correction took place before August 4; see this response from Boursorama. Also note Boursorama's transparency in this late response. Boursorama now also respects your choice if you refuse to be tracked on the web (except for AT Internet, which has a CNIL exemption). Not everything is perfect: Boursorama still takes a hostile stance toward adblock users, and does not let you refuse tracking in its iOS app, but this is already a major step forward. Customer emails, articles and tweets (the CNAME problem on Boursorama was already known in November 2019) no doubt helped get Boursorama moving.

Boursorama tracks you in the customer area of its website

Boursorama operates a very popular and efficient online bank, Boursorama Banque. It exceeded 2 million customers at the end of 2019. As a customer, I wanted to check whether the Boursorama Banque website was leaking my personal data. You can do the same by following these steps:

Disable your adblocker.
Delete cookies on Chrome (Settings > Advanced settings > Clear browsing data).
Open the Chrome console (⌘+Option+J on Mac, Ctrl, Shift and J on PC), “Network” tab or launch Charles Proxy.
Then go to the login page for your Boursorama Banque customer account and log in.

Surprise, Boursorama Banque is tracking you in the customer area:

Boursorama - customer area

Here are the companies that collect your personal data:

AT Internet : via c0011.boursorama.com (we will return later to this subdomain, which seems trivial at first glance), a long-established French analytics company formerly named Xiti, which collects all of your browsing activity as well as your device's characteristics. The analytics tool lets Boursorama analyze user journeys and improve the experience on its website.
Smart AdServer : French company offering a publisher ad server and an advertising inventory monetization solution (SSP). What's the point of calling an advertising solution in a customer area without advertising?
Rubicon : advertising inventory monetization solution (SSP), recently merged with Telaria to form Magnite. Here again, it is not clear why Boursorama is calling an advertising solution.
Commanders Act : via trustcommander.net, formerly TagCommander, a French company offering several products including historically a "Tag Manager" (allows you to trigger marketing tags without having to call on developers, a real "Trojan horse" for marketing teams), a "Customer Data Platform" (centralizes your personal data) and a "Consent Management Platform" (solution for collecting consent).

AT Internet and Smart AdServer can connect to your Boursorama Banque account

The integration of AT Internet trackers is not directly visible in the requests sent from your computer. You can see requests to c0011.boursorama.com, but you have to dig deeper to realize that this subdomain is not managed by Boursorama: it has been delegated by Boursorama to AT Internet. How? Through a CNAME record (an alias) pointing to a domain managed by AT Internet. You can check the CNAME record on this site, for example:

delegation boursorama at internet cname

And then check the owner of the at-o.net domain on this site:

AT Internet therefore conceals itself within Boursorama: a Boursorama subdomain that does not attract attention (c0011.boursorama.com), but that points to an obscure domain (at-o.net). AT Internet then hides behind AWS domains on the WHOIS registry (only the CNAME record allows you to go back to the source):

Whois AT

This hidden presence of AT Internet (formerly Xiti) on Boursorama Banque had already been spotted by the excellent Aeris in November 2019 (so Boursorama still had not done anything about it):

Why does AT Internet offer this option and why is it adopted by Boursorama? If you read AT Internet's documentation on the “custom domain” (CNAME), the goal is simple: to bypass browser and adblocker protections:

To guarantee data collection under the best conditions, we offer the sending of hits to our servers with a CNAME from one of your subdomains. By using a custom domain, you keep your hits, and by keeping your SLAs, you can even benefit from the best cookie configuration (ITP).

By "you keep your hits", read: adblockers will not necessarily be up to date and will probably not block the requests (no luck for Boursorama, uBlock Origin does block c0011.boursorama.com).

By "you can even benefit from the best cookie configuration (ITP)", you should understand that, because AT Internet cookies are associated with the site's domain (1st party), they are not blocked by browser mechanisms designed to protect your privacy, such as Safari Intelligent Tracking Prevention (ITP). AT Internet comes back to this point in its article:

Browsers like Safari now require cookies to be first-party (deposited from the current domain), server-side (deposited by a server, not by JavaScript) and secure (https). To meet these expectations, we provide a configuration that avoids potential restrictions or blocks impacting your analytics.

AT Internet does not mention the security risks associated with the use of CNAME. And yet, as we have already seen in the case of Criteo and as Aeris explained earlier, they are considerable. If the partner site has not taken precautions, AT Internet can read every cookie that has been placed, and not just the cookies created by AT Internet. So let's look at the cookies sent by your browser to AT Internet via the domain c0011.boursorama.com:

Boursorama cookies

Thus AT Internet has access to all cookies placed on the domain name boursorama.com, including the cookies that keep you logged in... Let's check whether someone who obtains the value of these cookies can hijack your Boursorama Banque account:

Disable your adblocker.
Launch Charles Proxy then connect to your Boursorama Banque customer account via Chrome.
Retrieve cookies sent to c0011.boursorama.com via Charles Proxy.
Clear all Chrome browsing data.
Go to https://clients.boursorama.com/; you are indeed logged out of Boursorama Banque.
Use the Chrome extension EditThisCookie to create or update your different Boursorama cookies.
Refresh the page, and you are logged in!

edition cookies boursorama Here you must configure the different cookies

Your session expires after a while, so AT Internet would have to act quickly to take advantage of it. Still, this means that a malicious AT Internet employee could connect to anyone's Boursorama Banque account. This is a theoretical threat, of course: the employee would need the technical skills and the right authorization level to analyze server logs. But the fact remains: the bank details of more than 2 million French people are at risk.

The same security flaw applies to Smart AdServer via the domain ads.boursorama.com, already a little more "readable" for adblockers:

CNAME Smart AdServer

Smart AdServer therefore also collects cookies from boursorama.com, allowing a malicious employee of Smart AdServer to connect to anyone's Boursorama Banque account:

Smart AdServer Cookies

Let's look at Boursorama's cookie policy, where we find this gem:

boursorama cookie policy

As we have just seen, Boursorama has in fact set up a technique that lets third parties (AT Internet and Smart AdServer) read the cookies of the issuer, Boursorama.

Refuse tracking, and Boursorama ignores it

What happens if you take the trouble to tell Boursorama that you do not want to be tracked?

banner consent boursorama

Boursorama treats continued browsing as consent, which the CNIL, in its all-too-great weakness, still permits. Let's click on "Configure your cookies" anyway:

purposes Boursorama

Yes, all purposes are checked by default, another violation of the GDPR. So let's uncheck the various purposes (advertising and statistics). Reading the one related to statistics carefully, for instance:

Collecting information relating to your use of the content and combining such information with that previously collected in order to evaluate, understand and report on how you use the service. This does not include Personalization, the collection of information relating to your use of this service in order to subsequently send you personalized content and/or advertisements in other contexts, i.e. on other services, such as sites or applications

Note that this consent banner comes from the CMP (Consent Management Platform) of Commanders Act, the ill-named TrustCommander. If sites make your life this difficult with these unbearable banners, forcing you to click a dozen times to refuse tracking (rather than offering a simple Yes/No choice), it is also because software vendors let them.

We would then expect to no longer see AT Internet tracking, right? Wrong: Boursorama does not take your preferences into account, as Charles shows when you log back in to your customer area:

Boursorama opt-out cookies

Boursorama still leaks your personal data to Rubicon, AT Internet and Smart AdServer. Bonus: you still allow AT Internet and Smart AdServer to access your Boursorama bank account through the leak of all cookies associated with the domain boursorama.com.

Boursorama is hostile towards adblocker users

You might then say to yourself: luckily I use an adblocker, it protects me against widespread tracking as well as against security vulnerabilities such as this one (and in the case of uBlock Origin it's true, it does block c0011.boursorama.com and ads.boursorama.com). However, Boursorama does not want you to protect yourself. If you enable your adblocker, you will be greeted with this message:

Boursorama Banque

Boursorama tells you that using an adblocker can seriously disrupt browsing within the customer area: this is false. But Boursorama goes even further:

Boursorama recommends that you deactivate your adblocker for zero-risk browsing and consultation of your accounts!

Savor the irony: the adblocker is precisely what protects you against the security flaw introduced by Boursorama! Note that Boursorama does not stop there; they also wrote an article explaining how to deactivate Adblock in the online help of the customer area, section “Protect my customer area”!

I therefore advise you to use an adblocker such as uBlock Origin combined with Firefox on the web (or other privacy-friendly browsers such as Brave and Safari).

Do you use the iPhone app? Boursorama Banque also leaks your personal data

To get a sense of the tracking that Boursorama Banque has set up in its iPhone app, I followed this procedure:

Close the various background applications.
Launch the Charles Proxy application and start recording.
Launch the Boursorama Banque application, then browse inside the app.
Export the logs from my Charles Proxy session to my computer.

Boursorama Banque iOS

The app is just as chatty as the website, it leaks your personal data to the following companies:

Google : via the Firebase developer toolbox.
AT Internet : via xiti.com (Xiti is the former name of AT Internet); Boursorama leaks your browsing activity, but this time there is no leak of boursorama.com cookies.
Smart AdServer : there is no advertising in the app, so it remains unclear why Boursorama is calling Smart AdServer.

“Fortunately” no Boursorama data leak to Smart AdServer here despite the use of the domain ads.boursorama.com (only Smart AdServer cookies). Your session information on the iPhone app is not stored in cookies.

How can you protect yourself against widespread tracking and security flaws in apps? You can use apps such as DNSCloak, Adguard or NextDNS on iOS.

Boursorama violates its customer data protection policy

If we read the Boursorama Banque customer data protection policy, the commitment to the security and protection of your personal data is firm; the document opens with:

Boursorama is keen to build a strong and lasting relationship with its clients, based on trust and mutual interest. As a credit institution subject to banking secrecy, Boursorama ensures the security and confidentiality of the information entrusted to it. That is why Boursorama is determined to protect your personal data and your privacy.

That trust is obviously broken: Boursorama does not ensure the security and confidentiality of the information entrusted to it. Boursorama then goes on with this paragraph:

Boursorama commitment

Boursorama allows third parties (AT Internet and Smart AdServer) to access my customer account, containing for example my banking transactions. In part 3, Who are the recipients of personal data, Boursorama states that it may pass your data on to public authorities, financial institutions and its technical service providers.

There is no mention of AT Internet or Smart AdServer; do they fall into the “technical service providers” category? If so, here is how Boursorama describes its “technical service providers”:

Boursorama providers

My login data is obviously not part of the information strictly necessary for audience measurement or ad delivery. Finally, here is what Boursorama says about securing your data:

Boursorama security

My login data is intercepted by unauthorized third parties: AT Internet and Smart AdServer.

What changes can we hope for?

While I did not expect such a security flaw at an online bank like Boursorama Banque, the problem is unfortunately a general one:

Criteo has succeeded in convincing more than 10,000 sites to install a CNAME.
A complete list is hard to come by, but other analytics or advertising solutions also offer CNAME setup: AT Internet and Smart AdServer, as we have seen, but also Eulerian, Keyade, Adobe, ContentSquare or Commanders Act (yes, the company that offers the consent-collection solution “TrustCommander”, used by Boursorama and whose motto is "Create trust by playing the transparency card").

Adobe CNAME Did you think the CNAME technique was “limited” to obscure marketing companies? Wrong: Adobe offers it too.

The "advantages" these tools tout: bypassing adblockers and browser protections to track you ever more closely, even when you don't want them to. These tools should obviously stop offering the CNAME option; they bear a heavy responsibility as technology providers. The sense of impunity doesn't help: without penalties from the CNIL, why change?

But websites also bear a heavy responsibility: in their drive to monitor you ever more closely and squeeze more value out of your information, they lose sight of the security of your personal data. Here too, the absence of a real regulator makes itself felt. Boursorama should therefore:

Remove the CNAMEs and use the “standard” versions of the AT Internet and Smart AdServer trackers.
Remove the Smart AdServer and Rubicon advertising trackers from its customer area and its app.
Offer a genuine consent-collection mechanism (opt-in) and honor it.
Drop the hostile stance toward adblocker users.

Boursorama Brad Pitt

The ball is in your court, Boursorama: be responsive and better protect your customers' banking data. That is how you will earn the right to be recommended.