A cron job that I run every day to screen scrape some figures from a financial services provider recently broke and upon investigation it transpired that it was no longer able to login to my account. On it’s own that isn’t particularly unusual but it was when I started investigating what had changed and needed to be fixed in my script that things got a bit weird…
The login process involves submitting a form consisting of a username, a PIN and a password over a secure https connection. The PIN and password are sent in plain text, but that is fine as the connection is secure.
An initial investigation of what was now happening when the login form was submitted showed that the PIN and password appeared to have been obfuscated in some way, so I grabbed what appeared to be the relevant javascript and ran it through a beautifier, revealing this:
$("#obfuscatedPin").val(CryptoJS.MD5(Value("originalPin")).toString(CryptoJS.enc.Base64).toUpperCase());
$("#obfuscatedPwd").val(CryptoJS.MD5(Value("originalPwd").toUpperCase()).toString(CryptoJS.enc.Base64));