Scott at OpenAds describes how a lapsed ad server domain registration led to security problems for an unrelated site that was running its ads. The site called the ad server, expecting an ad, and got back JavaScript that redirected the browser to some porn. Nasty but – since this was just one specific OpenAds installation – relatively local.
It’s unlikely that any ad network with broad reach is going to let its domain name expire. But this really makes me wonder, given the sheer reach of some popular ad serving software, why their domain names aren’t subject to more DNS spoofing attacks. Could you imagine the impact of a JavaScript keystroke logger, returned silently along with a real-looking advertisement or PSA?
Yet another reason why you probably shouldn’t be making ad calls to third-parties on any page where sensitive information is entered from the browser. But who am I kidding? It’s hard enough to stop sites from mailing around passwords in plain text.
{ 2 comments… read them below or add one }
Greg -
Thanks for the comments. One reason that I brought this up is that it is not just an ad serving problem. Any domain which hosts Javascript is at issue, and thus the industry needs to be aware of the potential security problems associated with 3rd party code.
The industry is moving in this direction – I am trying to make sure that we build in the appropriate security measures (both social and technical). We host a huge number of 3rd party scripts via our downloadable version of Openads, and have the responsibility to notify our users of the potential risks, and implement technical solutions if possible.
Any additional feedback would be very much appreciated – the original story is at http://blog.openads.org.
Cheers,
Scott Switzer
Openads Community Leader
Yes, it’s not just an ad serving problem — ad serving’s just one of the systems with the broadest reach and therefore the most attractive target.
My personal opinion – not speaking on behalf of anyone else here – is that JS from all but the absolutely most-trusted party belongs in an IFRAME, not directly injected into your page’s DOM. This wouldn’t have stopped an attacker from serving an obscene image, but I believe it would’ve stopped the redirect.