Issues

Issue #834 resolved

HTTPS security compromised by insecure script download

intgr
created an issue

Even when accessing Bitbucket over a secure HTTPS connection, a JavaScript file is downloaded insecurely:

http://bitbucket.org/m/js/lib/bundle.310309Mar.js?2152100

The attacker (a middleman) can just append malicious code to this script to, for instance, rig the login box and leak the password.

//(Also note: browsers only display "secure site" icons only if all elements of a page are downloaded securely.

//Images from media-cdn.bitbucket.org and www.gravatar.com are download insecurely; it's considered a good security practice to download all elements through secured connections as well, though I can't see an obvious attack scenario here. I do realize that Gravatar can't be secured easily.)

Comments (1)

  1. Log in to comment