NoScript and Service Canada's My Account

Discussion in 'other security issues & news' started by MikeBCda, Feb 6, 2013.

Thread Status:
Not open for further replies.
  1. MikeBCda

    MikeBCda Registered Member

    Jan 5, 2004
    southern Ont. Canada
    I couldn't find an obviously appropriate home for this in the Security Software section, so of course feel free to move it if I missed something.

    Service Canada, which is an almost one-stop shopping site for Canadian government online service, has changed its login procedures and requirements for My Account a number of times over the years. One of the most recent changes introduced "partner" registrations, which if you were registered with one of a couple of banks' online services or a few other financial services, permitted you to log in using your ID from the other site.

    This used to work fine, but requires an XSS to work. One of the recent updates to NoScript (or possibly Firefox itself, or maybe even both) now blocks this, preventing login to the government site. I tried clearing the XSS options, but that made no difference. Finally this morning I tried disabling NoScript entirely, and got in just fine.

    So if you're in the (possibly quite small) group who has Firefox and NoScript up to date and uses Service Canada's My Account and logs in with the partner-registration thing, note you'll now have to disable NoScript first. You can re-enable it after logging out, or maybe even after successfully logging in (didn't try that yet) -- since you have to restart Firefox both times, your exposure to possible XSS exploits should be minimal.
Thread Status:
Not open for further replies.