Pretending innocence, I ask why all these high profile websites have their homepages covered in spinning images?
Okay, obviously enough, I’m messing with them. But how can I do that?
The answer is cross site scripting (“XSS”).
XSS is surprisingly common, and nigh-universally is caused by poorly escaped user inputs. Even user inputs which, as in this case, they obviously don’t think of as user inputs. It happens when content is injected into a page, which results in the loading of arbitrary JavaScript onto that page.
As such, I own your interaction with those sites. If I was malicious I could be harvesting your cookies from them, redirecting you to phishing sites, recording everything you type, or just snooping on everything you view. As an example of why someone might want to do this… in the case of these particular sites, stealing your cookies (document.cookie
) would let me post comments as you. I could thus spam those sites using legitimate accounts that I don’t have to go through the hassle of creating myself.
I’m not doing this, because that wouldn’t be nice. All I’m doing is reversing links and spinning images, because I think that’s cute.
In this case, all these sites have screwed up by including a little bit of HTML from an ad network (EyeWonder) on their site. This HTML accepts an arbitrary URL as a parameter, and loads it in a <script>
tag. This is quite a common way for ad networks to ruin your day, often in the name of “frame busting”.
If you’re wondering who might be vulnerable to this exact hole from this exact ad network, Google can help you with that. Hint: it’s a lot of sites. I just grabbed the first three big names to demonstrate with.
Here’s the offending HTML:
<script language="JavaScript"> | |
var cnnDocDomain = ''; | |
if(location.hostname.indexOf('cnn.com')>0) {cnnDocDomain='cnn.com';} | |
if(location.hostname.indexOf('turner.com')>0) {if(document.layers){cnnDocDomain='turner.com:'+location.port;}else{cnnDocDomain='turner.com';}} | |
if(cnnDocDomain) {document.domain = cnnDocDomain;} | |
var query = window.location.search; | |
var adUrl = query.substring(5, query.length); | |
var clickthru; | |
var failclickthru; | |
document.write('<s'+'cript language="JavaScript" src="'); | |
document.write(adUrl+'"></s'+'cript>'); | |
</script> |
This would actually be pretty easy to fix, note. A little bit of checking of the input, to restrict it to scripts hosted only on known-trusted domains would be enough to make exploiting it almost impossible. (I say “almost” because someone sufficiently resourceful might find one of these “trusted” domains isn’t as secure as they hoped and slip a script onto it. But it at least raises the bar.)
If you’re curious what I’m doing to make these pages spin, check out this gist which includes the spinner script. Essentially it’s just making an iframe which shows the root of the domain, and then manipulates the contents of that iframe, which it’s allowed to do because the script is running on the same domain.
In short: never trust user input. Also, don’t trust your ad networks to know/care about security.
This post brought to you by my coworker Paul Banks pointing out the existence of this fun little hole on CNN. I then added the spinning myself, because it looks nice and spectacular.
This is a very widespread problem. I used to work for a big site that often got requests from our various ad providers to host these frame buster files. Literally about half of them contained XSS vulnerabilities.
At deviantART we see it a lot as well. Not just from the smaller networks, either. It’s pretty worrying.
It’s not hard to find this exploit on banking, trading, financial management websites, gov sites, etc.
It makes me sick and it’s only a matter of time before someone does something about it one way or another.
http://animals.nationalgeograp…
http://news.cnet.com/eyewonder…
You mean to say they let some third party put the code in interim.html in their page?
Ad networks often hand a file to you and say “we need this hosted somewhere on your domain or we can’t serve ads properly”. It can come down to a matter of whether you want to get money from them or not.
rofl
The crazy thing is that they haven’t fixed it yet…
For what its worth, it has been fixed for a while now… it’s just that a lot of websites still have the older version. The new version includes in the file http://cdn.eyewonder.com/10012… — which only works for valid usecases now. I actually believe EyeWonder does release the new file to sites that request it.
I’m surprised that they didn’t go out and ask sites to update it without waiting for a request, given the lurking PR-issue nature of it.
Just wondering, how is this frame busting code? Fortunately news site probably aren’t incredibly high value targets, when a user’s session isn’t tied to much valuable information…those there’s certainly exceptions.
Iframe busting, to be exact.
The common usage is to serve your ads inside iframes, which compartmentalizes them away from the rest of your content. Then when an advertiser wants an ad which isn’t possible in a cross domain iframe, like an expanding ad which slides out when you mouse over it, the ad network makes the iframe actually point to their script you’ve installed on your server.
This script gets to skip the cross-domain security policy and gains access to the DOM of the parent page to be able to create the expanded content.
lol, I left this company after writing PoC for this internally about 4 years ago; they did nothing to notify clients. They were bought out recently, so not really their problem any more.
David,Thanks
for bringing to our attention your find with the XSS vulnerabilities.
While this appears to be an issue across the industry, a fix has been
issued to publishers for our file. Feel free to check out the solution.
Any publisher with an open question can reach us at support@eyewonder:twitter .com
XSS is fun for people who know it but not for me who are really find it difficult every time i confront it. Thanks for the post, it will i think very helpful for me.
Seems like someone has done it again.
New Zealand Herald falls victim to XSS prank http://www.cio.com.au/article/…
It was amusing to see happen again.