Expandable ads can be entry points for site hacks

Researcher finds XSS vulnerabilities in iframe busters, scripts that power expandable ads that grow and cover a large area of the page.
Written by Catalin Cimpanu, Contributor

Ads that expand on a web page to show a larger banner or video containers can be abused as entry points for other hacks, according to new research published this week by Randy Westergren, a Delaware-based security researcher.

The researcher says he identified several vulnerabilities in iframe busters --the name given to files that websites host on their server to support "expanded ads."

Also: Russian election hacking hits a bump, but it's still going on CNET

Advertising companies provide these iframe busters to site owners who want to show ads from the ad network's portfolio. These scripts are unique for each ad company, but they work in the same way, by running JavaScript code that bypasses the browser's SOP (Same-Origin Policy) security feature to allow the ad to break out of its fixed container and make changes to the current page and expand its display area.

Also: Nasty piece of CSS code crashes and restarts iPhones

Westergren says that many of these iframe buster scripts are vulnerable to cross-site request (XSS) vulnerabilities that allow an attacker to take advantage of the iframe buster file hosted on a site's server to run malicious JavaScript code on that site.

Randy Westergren

The damage caused by these attacks depends on the attacker's ability to craft the malicious code, but it's generally considered that an attacker who can run JavaScript code on a remote site can technically steal the user's information in regards to that site, if not more.

The researcher says he identified XSS vulnerabilities in most of the iframe buster scripts that, until recently, Google has been providing for download as part of a multi-vendor iFrame Buster kit, offered through the DoubleClick AdExchange documentation site.

Westergren detailed four examples on his blog, showing how an attacker could run malicious code on any site that uses iframe busters from ad networks like Adform, Eyeblaster (Add in Eye), Adtech, and Jivox.

Also: Tech support scammers find a home on Microsoft TechNet pages

The researcher says he notified Google of the issues with the iframe buster scripts part of the company's iFrame Buster kit, and Google engineers removed those scripts within two weeks, back in January this year.

In the meantime, Google has stopped offering the kit for download altogether, but some of these iframe buster scripts are still vulnerable if downloaded from other sources.

Users who want to remain safe are advised to use an ad blocker, as most ad blockers will block intrusive ads that roll out and cover a large area of the page.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Five computer security questions you must be able to answer right now

If you can't answer these basic questions, your security could be at risk.

Critical infrastructure will have to operate if there's malware on it or not

Retired US Air Force cyber-security expert shares his thoughts on the future of critical infrastructure security.

Ordinary Wi-Fi devices can be used to detect suspicious luggage, bombs, weapons

Researchers turn ordinary WiFi devices in rudimentary scanners that can identify potentially dangerous objects hidden inside bags or luggage.

Related stories:

Editorial standards