Expandable ads can be entry points for site hacks
Randy Westergren
Ads that expand on a web page to show a larger banner or video containers can be abused as entry points for other hacks, according to new research published this week by Randy Westergren, a Delaware-based security researcher.
The researcher says he identified several vulnerabilities in iframe busters –the name given to files that websites host on their server to support “expanded ads.”
Advertising companies provide these iframe busters to site owners who want to show ads from the ad network’s portfolio. These scripts are unique for each ad company, but they work in the same way, by running JavaScript code that bypasses the browser’s SOP (Same-Origin Policy) security feature to allow the ad to break out of its fixed container and make changes to the current page and expand its display area.
Also: Nasty piece of CSS code crashes and restarts iPhones
Westergren says that many of these iframe buster scripts are vulnerable to cross-site request (XSS) vulnerabilities that allow an attacker to take advantage of the iframe buster file hosted on a site’s server to run malicious JavaScript code on that site.
The damage caused by these attacks depends on the attacker’s ability to craft the malicious code, but it’s generally considered that an attacker who can run JavaScript code on a remote site can technically steal the user’s information in regards to that site, if not more.
The researcher says he identified XSS vulnerabilities in most of the iframe buster scripts that, until recently, Google has been providing for download as part of a multi-vendor iFrame Buster kit, offered through the DoubleClick AdExchange documentation site.
Westergren detailed four examples on his blog, showing how an attacker could run malicious code on any site that uses iframe busters from ad networks like Adform, Eyeblaster (Add in Eye), Adtech, and Jivox.
Also: Tech support scammers find a home on Microsoft TechNet pages
The researcher says he notified Google of the issues with the iframe buster scripts part of the company’s iFrame Buster kit, and Google engineers removed those scripts within two weeks, back in January this year.
In the meantime, Google has stopped offering the kit for download altogether, but some of these iframe buster scripts are still vulnerable if downloaded from other sources.
Users who want to remain safe are advised to use an ad blocker, as most ad blockers will block intrusive ads that roll out and cover a large area of the page.
READ MORE HERE