14 DAY TRIAL // All the websites that include a piece of code used by EyeWonder for advertising can be easily overtaken by a hacker and injected with arbitrary code.
A programmer called David Lynch discovered the flaw with the help of a co-worker and to demonstrate the concept he made the images on popular websites such as CNN, The New York Times and Fox News spin.
"If I was malicious I could be harvesting your cookies from them, redirecting you to phishing sites, recording everything you type, or just snooping on everything you view,” Lynch reveals.
“As an example of why someone might want to do this... in the case of these particular sites, stealing your cookies (document.cookie) would let me post comments as you. I could thus spam those sites using legitimate accounts that I don't have to go through the hassle of creating myself.”
It seems as a lot of websites include the advertisement code, thus being susceptible to an attack coming from a cybercriminal that's out to have some fun.
According to Lynch, the fix is pretty easy, the over-permissive input being the one to blame for the vulnerability.
“A little bit of checking of the input, to restrict it to scripts hosted only on known-trusted domains would be enough to make exploiting it almost impossible,” he reveals.
I tried to contact EyeWonder to see what they have to say about the matter but, as expected, they didn't reply. This sort of situation gives away the true identity of a business and unfortunately, on many occasions, the picture they provide is not pretty.
Website owners who collaborate with them should quickly resolve the issue or contact the company for assistance as such a vulnerability can have serious consequences.
Ads have been a topic of discussion on many occasions lately and security solutions providers who took note of these types of weaknesses rushed to release products that can detect malicious advertisements and closely monitor any related activities.