Bank of Melbourne / St.George / BankSA web login prevents using a password manager in a misguided attempt to improve security — fixed with userscript
What’s the sitch?
I opened a Bank of Melbourne account for my home loan a year and a half ago, and have since sadly discovered a range of user experience issues, which I blogged about previously.
One issue in particular I found interesting enough to detail in a post of its own — that using my password manager, Bitwarden, to log in, fails; and even worse, it gaslights you into thinking the site is down! 🤕
I wrote up most of this post shortly after I started with the bank, but have only now put in the effort required to figure out a fix.
Password managers are excellent
Using a password manager is a huge benefit for security and ease of use in managing logins. For each website you use, you can have it generate a unique long complex password; and automatically fill in your credentials whenever you’re prompted to log in 🔒
I moved from LastPass to Bitwarden two years ago, and it’s been so good I’ve never looked back. It’s even free! — there are paid plans, but the free one has all the features you really need. And unlike NordPass and others you’ve heard about, it’s open source software! 🎉
I’m now particularly glad I left LastPass, given all the recent shocking revelations that they had their password vaults leaked! 😱 Using a cloud-based password manager does indeed carry a (low) level of risk of your entire password collection being exposed; however, the security benefits it provides far outweigh that risk. Even in the case of this LastPass breach, the leaked vaults are not super useful to attackers as the passwords are still encrypted.
I love using Bitwarden, so it was disheartening to learn that, unlike every other website I use, Bank of Melbourne was seriously incompatible with Bitwarden’s autofill feature.
This issue may extend to other password managers, but I haven’t checked.
Trying to login using autofill
Behold the (dated-looking) Bank of Melbourne web banking login page:
A Bitwarden entry configured like so will allow it to autofill the whole login form:
Pressing Ctrl+Shift+L to get Bitwarden to autofill from this entry results in the following:
We can reveal the actual content of those password input elements by running this snippet of JavaScript in the browser console to change the ‘type’ of the secret HTML input fields from ‘password’ to ‘text’:
And as you’d expect, the inputs contain the text configured in Bitwarden:
That looks correct 🙂 So let’s try logging in.
Here’s the result of doing so using a Bitwarden entry that has my actual credentials:
You’re kidding — internet banking is down? 😢
Nope! If you manually copy and paste each piece of text into the form, it works!🤦
But why?!
Bank of Melbourne’s login page is implemented incredibly oddly. It applies client-side encryption directly to the security number and password form fields upon each losing focus — but it seemingly isn’t triggered by whatever JavaScript code Bitwarden uses to fill fields.
The simple substitution cipher it applies seems to be different each time you refresh the page. Here is one example from using the above credentials:
I imagine this ‘feature’ was implemented as a misguided attempt to increase security; but ironically, it probably actually results in a general reduction in the bank’s security, given it makes it incredibly annoying for its customers to use a password manager — which is what would actually increase security by facilitating the use of a complex unique password.
This substitution cipher functionality does not add any extra security at all. If your webpage, browser, or HTTPS connection is compromised, you’re already completely sunk.
This dodgy client-side encryption thing seriously needs to be fixed (perhaps by applying it only upon form submission), or better yet, removed.
Sidenote: What on Earth are these requests trying to connect to local services on my machine about?
St.George Bank and BankSA are affected too
Bank of Melbourne is a Victorian rebadge of St.George Bank (both owned by Westpac), and so, predictably, St.George has an identical login page with the same issue. I can even log into it with my Bank of Melbourne credentials! 🙄
And I learned today that BankSA is another one!
Give me the fix already pls
I spent a few hours today debugging the login page, and thankfully, did manage to eventually come up with a fix! This takes the form of a userscript, published on GitHub in a collection of userscripts I’ve written.
To install it:
- Download the Tampermonkey extension for your web browser
- Click here to open the userscript — Tampermonkey should then prompt you to review and install it
How it works
Thanks to the Visual Event bookmarklet, I was able to see that the webpage primarily listens on the fields for the ‘focusout’ event to then perform obfuscation (script source):
As it turns out, this does get triggered by Bitwarden autofill, so the values do get obfuscated, but they don’t stay that way! Bitwarden must be also then using the ‘value=’ setter, which does not trigger any events, and clobbers the obfuscated value. To work around this, after a value is obfuscated, I record that obfuscated value, and restore it a moment later.
Enjoy!
I’m planning to post here more often, so if you enjoy this kind of content, chuck us some claps and a follow! 🤓 Cheers
If I’ve made your day, I wouldn’t say no to a tip!
PayID: zimbix@up.me
PayPal: https://paypal.me/BrendanWeibrecht
BTC: 3GCJNieDirnFJLc9zJiYg1GfNVSD1iZmY7
