EDIT August 11, 2020: Boursorama no longer leaks your connection data to AT Internet and Smart AdServer.
Data sent to AT Internet now goes through the domain c0012.brsimg.com, data sent to Smart AdServer goes through several domains including ww16.smartadserver.com. Thus, AT Internet and Smart AdServer no longer have access to Boursorama authentication cookies (boursorama.com domain).
The correction took place before August 4, see this response from Boursorama. Also note the transparency of Boursorama in this late response. Also, Boursorama now respects your choice if you refuse to be tracked on the web (except for AT Internet which has a exemption of the CNIL). Everything is not perfect: Boursorama still has a hostile attitude towards adblock users, and does not allow you to refuse tracking on its iOS App, but it is already a big step forward. Customer emails, articles and tweets (the CNAME problem on Boursorama was already known in November 2019) will undoubtedly have helped to move Boursorama.
Boursorama tracks you in the customer area of its website
Boursorama has a very popular and efficient online banking business, Boursorama Bank. This one has exceeded 2 million customers end of 2019. As a customer, I wanted to check if the Boursorama Banque website was leaking my personal data, you can do the same by following these steps:
- Disable your adblocker.
- Delete cookies on Chrome (Settings > Advanced settings > Clear browsing data).
- Open the Chrome console (⌘+Option+J on Mac, Ctrl, Shift and J on PC), “Network” tab or launch Charles Proxy.
- Then go to the connection page to your Boursorama Banque customer account and log in.
Surprise, Boursorama Banque is tracking you in the customer area:
Here are the companies that collect your personal data:
- AT Internet : via c0011.boursorama.com (we will return later to this sub-field which seems trivial at first glance), historic French analytics company, formerly named Xiti, recovering all of your browsing as well as the characteristics of your device. The analytics tool allows Boursorama to analyze user journeys and improve the experience of its website.
- Smart AdServer : French company offering a publisher ad server and an advertising inventory monetization solution (SSP). What's the point of calling an advertising solution in a customer area without advertising?
- Rubicon : advertising inventory monetization solution (SSP), recently merged with Telaria to form Magnite. Here again, we don't really understand why Boursorama calls for an advertising solution.
- Commanders Act : via trustcommander.net, formerly TagCommander, a French company offering several products including historically a "Tag Manager" (allows you to trigger marketing tags without having to call on developers, a real "Trojan horse" for marketing teams), a "Customer Data Platform" (centralizes your personal data) and a "Consent Management Platform" (solution for collecting consent).
AT Internet and Smart AdServer can connect to your Boursorama Banque account
The integration of AT Internet trackers is not directly visible in the requests sent from your computer. We observe requests to c0011.boursorama.com but you have to dig deeper to realize that this subdomain is not managed by Boursorama, it has been delegate by Boursorama at AT Internet. How ? By registering a CNAME (an alias) pointing to a domain managed by AT Internet. You can check the CNAME record at this site for example:
And then verify the domain owner at-o.net on this site :
AT Internet is therefore hidden at Boursorama: a Boursorama subdomain which does not attract attention (c0011.boursorama.com), but which points to an obscure domain (at-o.net). AT Internet then hides behind AWS domains on the WHOIS registry (only the CNAME record allows you to go back to the source):
This hidden presence of AT Internet (formerly Xiti) on Boursorama Banque had already been noticed by the excellent Aeris in November 2019 (Boursorama has therefore still not reacted):
Why does AT Internet offer this option and why is it adopted by Boursorama? If we read AT Internet documentation on the “custom domain” (CNAME), the goal is simple: bypass browser and adblocker protections:
To guarantee data collection under the best conditions, we offer the sending of hits to our servers with a CNAME from one of your subdomains. By using a custom domain, you keep your hits, and by keeping your SLAs, you can even benefit from the best cookie configuration (ITP).
By "you keep your hits", it must be understood that the adblockers will not necessarily be up to date and will probably not block the requests (no luck for Boursorama, uBlock Origin blocks well c0011.boursorama.com).
By "you can even benefit from the best cookie configuration (ITP)", you should understand that AT Internet cookies are associated with the domain of the site (1st party), they are not blocked by browser mechanisms to protect your privacy such as Safari Intelligent Tracking Prevention (ITP). AT Internet returns to this characteristic in its article:
Browsers like Safari now require cookies to be first-party (deposited from the current domain), server-side (deposited by a server, not by JavaScript) and secure (https). To meet these expectations, we provide a configuration that avoids potential restrictions or blocks impacting your analytics.
AT Internet does not mention the security risks associated with the use of CNAME. And yet, as we have already seen in the case of Criteo and as Aeris explained before, they are big. If the partner site has not taken precautions, AT Internet can read all the cookies placed, and not just the cookies created by AT Internet. So let's look at the cookies sent by your browser to AT Internet via the domain c0011.boursorama.com :
Thus AT Internet has access to all cookies placed on the domain name boursorama.com, including cookies that allow you to stay connected... Let's check if a user recovering the value of these cookies can usurp your Boursorama Banque account:
- Disable your adblocker.
- Launch Charles Proxy then connect to your Boursorama Banque customer account via Chrome.
- Retrieve cookies sent to c0011.boursorama.com via Charles Proxy.
- Clear all Chrome browsing data.
- Go to https://clients.boursorama.com/, you are disconnected from Boursorama Banque.
- Use the Chrome extension EditThisCookie to create or update your different Boursorama cookies.
- Refresh the page, you are connected!
Here you must configure the different cookies
Your session expires after a certain time, so AT Internet must be fast to take advantage of it. However, this means that a malicious AT Internet employee can connect to anyone's Boursorama Banque account. Theoretical threat of course, this employee must have the technical skills and the right level of authorization to analyze the server logs. All that remains is bank details of more than 2 million French people are at risk.
Same security flaw applies to Smart AdServer via domain ads.boursorama.com, already a little more "readable" for adblockers:
Smart AdServer therefore also collects cookies from boursorama.com, allowing a malicious employee of Smart AdServer to connect to anyone's Boursorama Banque account:
Let's look at it Boursorama cookie policy, we can read this nugget:
As we have just seen, Boursorama has implemented a technique allowing third parties (AT Internet and Smart AdServer) to read the cookies of the Boursorama issuer.
Refuse tracking, Boursorama does not take it into account
What happens if you take the trouble to tell Boursorama that you do not want to be tracked?
Boursorama considers that continuing your navigation constitutes consent, as the CNIL still allows in its excessive weakness. However, let's click on "Configure your cookies":
Yes, all purposes are checked by default, another violation of the GDPR. So let’s uncheck the different purposes (advertising and statistics). If we carefully read the one related to statistics for example:
Collecting information relating to your use of the content and combining such information with that previously collected in order to evaluate, understand and report on how you use the service. This does not include Personalization, the collection of information relating to your use of this service in order to subsequently send you personalized content and/or advertisements in other contexts, i.e. on other services, such as sites or applications
Note that this consent banner comes from the CMP (Consent Management Platform) of Commanders Act, the misnamed Trust Commander. If the sites make your life so difficult with these unbearable banners, requiring you to click ten times to refuse to be tracked (and not a simple Yes/No choice), it is also because software publishers allow it.
We would then expect to no longer see AT Internet tracking, right? Error, Boursorama does not take your preferences into account, as Charles shows when you reconnect to your customer area:
Boursorama always leaks your personal data to Rubicon, AT Internet and Smart AdServer. Bonus: you still allow AT Internet and Smart AdServer to access your Boursorama bank account via the leak of all cookies associated with the domain boursorama.com.
Boursorama is hostile towards adblocker users
You might then say to yourself: luckily I use an adblocker, it protects me against widespread tracking as well as against security vulnerabilities such as this one (and in the case of uBlock Origin it's true, it blocks well c0011.boursorama.com and ads.boursorama.com). However, Boursorama does not want you to protect yourself. If you enable your adblocker, you will be greeted with this message:
Boursorama tells you that the use of an adblocker can seriously disrupt good navigation within the customer area: this is false. But Boursorama goes even further:
Boursorama recommends that you deactivate your adblocker for zero-risk browsing and consultation of your accounts!
Appreciate the irony, the adblocker allows you to protect yourself against the security vulnerability introduced by Boursorama! Note that Boursorama does not stop there, they also wrote an article explaining how to deactivate Adblock in the online help of the customer area, section “Protect my customer area”!
I therefore advise you to use an adblocker such as uBlock Origin combined with Firefox on the web (or other privacy-friendly browsers such as Brave and Safari).
Do you use the iPhone app? Boursorama Banque also leaks your personal data
To understand the tracking implemented by Boursorama Banque on its iPhone application, I followed the following procedure:
- Closing the various background applications.
- Launch of the Charles Proxy application and enabling tracking.
- Launch of the Boursorama Banque application, then navigation in the App.
- Export of logs from my Charles Proxy session to my computer.
The app is just as chatty as the website, it leaks your personal data to the following companies:
- Google : via the Firebase developer toolbox.
- AT Internet : via xiti.com (Xiti is the old name of AT Internet), Boursorama leaks your navigation but this time, no cookie leak boursorama.com.
- Smart AdServer : no advertising in the application, so we still wonder why Boursorama calls Smart AdServer.
“Fortunately” no Boursorama data leak to Smart AdServer here despite the use of the domain ads.boursorama.com (only Smart AdServer cookies). Your session information on the iPhone app is not stored in cookies.
How to protect yourself against widespread tracking and security breaches on Apps? You can use apps such as DNSCloak, Adguard or NextDNS on iOS.
Boursorama violates its customer data protection policy
If we read the Boursorama Banque customer data protection policy, the commitment to the security and protection of your personal data is firm, the document beginning with:
Boursorama is keen to build a strong and lasting relationship with its clients, based on trust and mutual interest. As a credit institution subject to banking secrecy, Boursorama ensures the security and confidentiality of the information entrusted to it. Also, Boursorama is determined to protect your personal data and your privacy.
Trust is obviously broken, Boursorama does not ensure the security and confidentiality of the information entrusted to it. Boursorama then continues with this paragraph:
Boursorama allows third parties (AT Internet and Smart AdServer) to access my customer account, containing for example my banking transactions. In part 3. Who are the recipients of personal data, Boursorama informs that it may communicate your data to public authorities, financial organizations and its technical service providers.
No information on AT Internet or Smart AdServer, do they fall into the “technical service providers” box? If yes, this is how Boursorama communicates about “technical service providers”:
My connection data is obviously not part of the information strictly necessary for audience measurement or the distribution of advertisements. Finally, here is how Boursorama communicates about the security of your data:
My connection data is intercepted by unauthorized third parties: AT Internet and Smart AdServer.
What changes can we hope for?
Although I did not expect such a security breach at an online bank such as Boursorama Banque, the problem is unfortunately widespread:
- Criteo has succeeded in convince more than 10,000 sites to install a CNAME.
- It is difficult to have the complete list, but other analytics or advertising solutions also offer the installation of a CNAME: AT Internet and Smart AdServer as we have seen, but also Eulerian, Keyade, Adobe, ContentSquare or Commanders Act (yes, the company that offers the consent collection solution “Trust Commander”, used by Boursorama and having the motorcycle "Create trust by playing the transparency card").
Did you think the CNAME technique was “limited” to obscure marketing companies? Error, Adobe offers it also.
"Advantages" put forward by these tools: bypass adblockers and browser protections to always better track you, even if you don't want to. Obviously, these tools should stop offering the CNAME option, they bear a heavy responsibility as technology providers. The feeling of impunity doesn't help: without sanctions from the CNIL, why change?
But websites also bear a strong responsibility: in their desire to always better monitor you and better monetize your information, they forget the security of your personal data. Here too, the absence of a real regulator is felt. Boursorama should thus:
- Delete the CNAMEs and use the “standard” versions of the AT Internet and Smart AdServer trackers.
- Delete the Smart AdServer and Rubicon advertising trackers from your customer area and application.
- Propose a real mechanism for collecting consent (opt-in) and respect it.
- Stop the hostile attitude towards adblocker users.
It's up to you to play Boursorama, to be responsive and to better protect your customers' banking data, this is how you will earn the right to be recommended.